CN112231755A

CN112231755A - Data authorization method, device and system based on block chain

Info

Publication number: CN112231755A
Application number: CN202011165802.XA
Authority: CN
Inventors: 王兆创; 郭懿心; 韦德志; 郑伟涛; 刘友为
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-10-27
Filing date: 2020-10-27
Publication date: 2021-01-15

Abstract

The application discloses a data authorization method, a device and a system based on a block chain, which belong to the technical field of the block chain, wherein the method comprises the following steps: the first block chain acquires authorization contract information generated by an authorizer based on the associated authorization information of the second private key signing target service; the authorization contract information carries first specified synchronous information; the first block chain sends the authorization contract information to an authorization data providing node based on the first specified synchronous information, the authorization data providing node calls a first intelligent contract to carry out authorization verification on the authorization contract information, the authorization data providing node sends authorization data corresponding to the authorization contract information to the first block chain under the condition that the authorization verification is passed, and the authorization data carries second specified synchronous information; the first blockchain sends authorization data to the service node based on the second specified synchronization information. By using the technical scheme provided by the application, the data authorization can be traced and cannot be tampered, and the safety of the user data is greatly improved.

Description

Data authorization method, device and system based on block chain

Technical Field

The present application relates to the field of blockchain technologies, and in particular, to a method, an apparatus, and a system for data authorization based on a blockchain.

Background

In some internet application scenarios, a user often handles related services on some service platforms, and the user often needs to authorize the service platform to a third party to obtain related data of the user in the service handling process.

In the related technology, when the user authorization is verified, the service side performs identity verification on the user only by clicking agreement on a page provided by the service platform, and the user authorization is determined to be valid after the identity verification. In the related technology, only the service party can carry out authorization verification, other participating parties cannot verify the authorization of the user, and the problems of counterfeit authorization, unsafe user data and the like exist.

Disclosure of Invention

The application provides a data authorization method, a device and a system based on a block chain, which can ensure that data authorization can be traced and cannot be tampered, and greatly improve the security of user data.

In one aspect, the present application provides a data authorization method based on a block chain, where the method includes:

acquiring authorization contract information generated by an authorizer signing the associated authorization information of the target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer; the authorization contract information carries first designated synchronization information, and the first designated synchronization information is used for designating the authorization contract information to be synchronized to an authorization data providing node;

sending the authorization contract information to the authorization data providing node based on the first specified synchronization information so that the authorization data providing node invokes a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

receiving authorization data corresponding to the authorization contract information sent by the authorization data providing node under the condition that authorization verification is passed, wherein the authorization data carries second specified synchronous information, and the second specified synchronous information is used for specifying that the authorization data are synchronized to the service node;

sending the authorization data to the serving node based on the second specified synchronization information.

In another aspect, a method for data authorization based on a block chain is further provided, where the method includes:

acquiring authorization contract information from the first blockchain, wherein the authorization contract information is generated by an authorizer based on the associated authorization information of the second private key signing target service; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

calling a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

sending authorization data corresponding to the authorization contract information to the first block chain under the condition that authorization verification is passed, wherein the authorization data carries second specified synchronous information, and the second specified synchronous information is used for specifying that the authorization data is synchronized to the service node; such that the first blockchain sends the grant data to the serving node based on the second specified synchronization information.

In another aspect, a data authorization system based on a block chain is further provided, where the system includes:

the system comprises a first block chain, a service node and an authorization data providing node;

the first block chain is used for acquiring authorization contract information, the authorization contract information carries first specified synchronous information, and the first specified synchronous information is used for specifying that the authorization contract information is synchronized to an authorization data providing node; for sending the authorization contract information to the authorization data providing node based on the first specified synchronization information; and sending authorization data to the service node based on the second specified synchronization information;

the authorization data providing node is used for calling a first intelligent contract on the first blockchain to carry out authorization verification on the authorization contract information; and the authorization server is configured to send authorization data corresponding to the authorization contract information to the first block chain when authorization verification passes, where the authorization data carries second specified synchronization information, and the second specified synchronization information is used to specify that the authorization data is synchronized to the service node;

the service node is configured to obtain the authorization data from the first blockchain.

In another aspect, a device for data authorization based on a block chain is further provided, where the device includes:

the first authorization contract information acquisition module is used for acquiring authorization contract information, and the authorization contract information is generated by an authorizer based on the associated authorization information of the second private key signing target service; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer; the authorization contract information carries first designated synchronization information, and the first designated synchronization information is used for designating the authorization contract information to be synchronized to an authorization data providing node;

a first authorization contract information sending module, configured to send the authorization contract information to the authorization data providing node based on the first specified synchronization information, so that the authorization data providing node invokes a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

a first authorization data receiving module, configured to receive authorization data corresponding to the authorization contract information sent by the authorization data providing node when authorization verification passes, where the authorization data carries second specified synchronization information, and the second specified synchronization information is used to specify that the authorization data is synchronized to the service node;

a first authorization data sending module, configured to send the authorization data to the service node based on the second specified synchronization information.

the second authorization contract information acquisition module is used for acquiring authorization contract information from the first blockchain, wherein the authorization contract information is generated by an authorizer based on the associated authorization information of the second private key signing target service; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

the authorization verification module is used for calling a first intelligent contract on the first block chain to carry out authorization verification on the authorization contract information;

a second authorization data sending module, configured to send authorization data corresponding to the authorization contract information to the first block chain when authorization verification passes, where the authorization data carries second specified synchronization information, and the second specified synchronization information is used to specify that the authorization data is synchronized to the service node; such that the first blockchain sends the grant data to the serving node based on the second specified synchronization information.

In another aspect, a device for data authorization based on a block chain is further provided, where the device includes a processor and a memory, where at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the block chain based data authorization method as described above.

Another aspect provides a computer-readable storage medium, in which at least one instruction or at least one program is stored, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the block chain based data authorization method as described above.

According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations described above.

The block chain-based data authorization method, device and system have the following technical effects:

according to the method and the system, the authorization contract information is linked based on the private key of the authorization party, forgery prevention and open verification in the authorization process can be guaranteed, the authorization contract information is verified by the first intelligent contract deployed on the blockchain, verification of authorization of the user by other participating nodes on the blockchain can be realized, when the authorization data providing node provides authorization data, the user is authorized, the service party obtains data according to authorization, the authorization flow of the whole data is linked to the blockchain, each operation of each participating node can be linked to the blockchain, the fact that the data obtained by each authorization can be traced and cannot be tampered in the whole process is guaranteed, and the safety of the user data is greatly improved.

Drawings

In order to more clearly illustrate the technical solutions and advantages of the embodiments of the present application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a schematic diagram of an application environment for data authorization based on a block chain according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a data authorization method based on a block chain according to an embodiment of the present application;

FIG. 3 is a schematic diagram illustrating a process for requiring uplink of contract information and determining associated grant information according to an embodiment of the present application;

fig. 4 is a schematic flowchart illustrating an authorization data providing node invoking a first intelligent contract on a first blockchain to perform authorization verification on authorization contract information according to an embodiment of the present application;

fig. 5 is a schematic flowchart of another block chain-based data authorization method according to an embodiment of the present application;

fig. 6 is a schematic flowchart of another block chain-based data authorization method according to an embodiment of the present application;

fig. 7 is a schematic flowchart of another block chain-based data authorization method according to an embodiment of the present application;

fig. 8 is a schematic flowchart of another block chain-based data authorization method according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a data authorization apparatus based on a block chain according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another block chain-based data authorization apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of another block chain-based data authorization apparatus according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include an underlying platform, a platform product services layer, and an application services layer.

The underlying platform may include processing modules for user management, basic services, intelligent contracts, and operation monitoring. The user management module is responsible for identity information management of all blockchain participants, and comprises public and private key generation maintenance (account management), key management, user real identity and blockchain address corresponding relation maintenance (authority management) and the like, and under the authorization condition, the user management module supervises and audits the transaction condition of certain real identities and provides rule configuration (wind control audit) of risk control; the basic service module is deployed on all block chain node equipment and used for verifying the validity of the service request, recording the service request to storage after consensus on the valid request is completed, for a new service request, the basic service firstly performs interface adaptation analysis and authentication processing (interface adaptation), then encrypts service information (consensus management) through a consensus algorithm, transmits the service information to a shared account (network communication) completely and consistently after encryption, and performs recording and storage; the intelligent contract module is responsible for registering and issuing contracts, triggering the contracts and executing the contracts, developers can define contract logics through a certain programming language, issue the contract logics to a block chain (contract registration), call keys or other event triggering and executing according to the logics of contract clauses, complete the contract logics and simultaneously provide the function of upgrading and canceling the contracts; the operation monitoring module is mainly responsible for deployment, configuration modification, contract setting, cloud adaptation in the product release process and visual output of real-time states in product operation, such as: alarm, monitoring network conditions, monitoring node equipment health status, and the like.

The platform product service layer provides basic capability and an implementation framework of typical application, and developers can complete block chain implementation of business logic based on the basic capability and the characteristics of the superposed business. The application service layer provides the application service based on the block chain scheme for the business participants to use.

Referring to fig. 1, fig. 1 is a schematic diagram of an application environment for data authorization based on a blockchain according to an embodiment of the present disclosure, and as shown in fig. 1, the application environment may include a first blockchain 100 and a second blockchain 200.

In this embodiment, the first blockchain 100 may be an underlying platform in the blockchain system, and optionally, the first blockchain 100 may include a plurality of (at least two) undifferentiated blockchain nodes 101. The second blockchain 200 may be an upper blockchain (i.e., platform product service layer) of the first blockchain; optionally, the second blockchain may include an authorizing node 201, a serving node 202, an authorizing data providing node 203, and a policing node 204.

In this embodiment, the authorization node 201 may be a blockchain node of an authorizer in a blockchain. The authorizer may provide the object (user) of the service to the service provider. Serving node 202 may be a blockchain node in a blockchain for a server providing service to an authorized party; the authorization data providing node 203 can be a block chain node of an authorization data provider in a block chain, and the authorization data provider can provide a data provider which needs data provided by a third party and is involved in the service process for the service provider to the authorizing party; supervisory node 204 may be a blockchain node in a blockchain that is a supervisor that supervises the process of a server obtaining authorization data from an authorization data provider.

In practical applications, the authorization node 201, the service node 202, the authorization data providing node 203, and the monitoring node 204 may register in the first blockchain respectively, that is, apply for a public and private key from the first blockchain, and the public and private keys applied by each of the authorization node 201, the service node 202, the authorization data providing node 203, and the monitoring node 204 may identify identities of an authorizer, a server, an authorization data provider, and a monitoring party respectively. In the embodiment of the present specification, the respective private keys of the authorizer, the server, the authorized data provider, and the administrator are respectively kept and used, and the public keys of the authorizer, the server, the authorized data provider, and the administrator may be shared.

In an alternative embodiment, the authorizer may be an enterprise, the server may be a financial institution, the authorizer may be a credit bureau, and the administrator may be a regulatory institution.

In the embodiment of the present specification, a block link point may be a client or a server; in particular, the client may include, but is not limited to, a smart phone, a desktop computer, a tablet computer, a laptop computer, a smart speaker, a digital assistant, an Augmented Reality (AR)/Virtual Reality (VR) device, a smart wearable device, and other types of electronic devices. The software running on the electronic device may be an application program, an applet, or the like. Specifically, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.

In the embodiment of the present disclosure, the client and the server may be directly or indirectly connected through a wired or wireless communication manner, and the present disclosure is not limited herein.

A block chain-based data authorization method according to the present application is described below, and fig. 2 is a schematic flow chart of a block chain-based data authorization method according to an embodiment of the present application, where the present specification provides the method operation steps as described in the embodiment or the flowchart, but may include more or less operation steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. In actual system or product execution, sequential execution or parallel execution (e.g., parallel processor or multi-threaded environment) may be possible according to the embodiments or methods shown in the figures. Specifically, as shown in fig. 2, the method may include:

s201: the first blockchain obtains authorization contract information.

In practical applications, the authorization contract information may be obtained from any one of the blockchain nodes on the first blockchain. In this embodiment of the present specification, the authorization contract information may be generated by the authorizer signing the associated authorization information of the target service based on the second private key. The authorization contract information may carry first designated synchronization information, and the first designated synchronization information may be used to designate synchronization of the authorization contract information to the authorization data providing node.

In this embodiment of the present specification, the second private key may be a private key that is applied by the authorization node in the first blockchain and identifies an identity of an authorizer. The target service can provide services for the service party to the authorized party; the associated authorization information of the target service may include associated requirement information of the target service, a service party signature, and authorization attribute information of an authorization party.

In this embodiment, the associated requirement information of the service party may represent the requirement of the service party and information related to the requirement. In an optional embodiment, the associated requirement information of the service provider may include related data (i.e., authorization data) of an authorizer that needs to be provided by a third party (i.e., an authorization data provider) related to the target service, service identification information (encoded identification of the service provider in the first blockchain), a first public key of the service provider (a public key that is applied by the service node in the first blockchain and identifies an identity of the service provider), identification information of a service that the service provider provides to the authorizer, and a data transmission frequency (i.e., a period of the authorization data, for example, the transmitted authorization data is divided by months); optionally, in practical applications, the same service provided by the service provider to the authorizer may have different authorization ranges, and correspondingly, in order to distinguish the authorization contract information corresponding to different authorization ranges of the same service, the association requirement information may further include a version number (version of the authorization contract information). In a specific embodiment, if the target service is a loan service, that is, in a scenario where an authorizer needs to apply for a loan from a service provider, authorization data related to the target service and provided by a third party (that is, an authorization data provider) may be a credit investigation report of the authorizer provided by a credit investigation institution (third party).

In this embodiment of the present specification, the service party signature may represent signature information of the service party for the associated demand information of the target service. In practical applications, the service party links the requirement contract information in advance according to the actual service requirement in the target service processing process, so that the authorizer aggregates the requirements of the service party to generate the authorization association information. Accordingly, as shown in fig. 3, the method may further include:

s301: the service node acquires the associated demand information of the service party based on the first private key signing target service, and generates demand contract information.

In an embodiment of the present specification, the first private key is a private key that is applied by the service node in the first blockchain and identifies an identity of a service provider corresponding to the service node. The requirement contract information may include associated requirement information of the target service and a service party signature corresponding to the associated requirement information.

In practical application, an application service layer of a service party can provide a corresponding signing page for the service party to sign the associated demand information of the target business based on the first private key and generate demand contract information; accordingly, a service side (specifically, a server of the service side) of the application service layer may transmit the requirement contract information to the service node.

In a specific embodiment, signing the associated demand information of the target service based on the first private key, and generating the demand contract information may include: and encrypting the associated demand information of the target service by using a second private key and a preset encryption algorithm to obtain encrypted associated demand information, wherein the encrypted associated demand information can be used as a service party signature, and then the service party signature and the associated demand information of the target service are used as demand contract information.

In an alternative embodiment, the preset encryption algorithm may include, but is not limited to, an asymmetric encryption algorithm such as the secret SM1(SM1cryptographic algorithm).

S303: and the service node sends the required contract information to the first block chain, wherein the required contract information carries fourth specified synchronous information.

In this embodiment of the present specification, the fourth specified synchronization information is used to specify that the requirement contract information is synchronized to the authorization node. Optionally, the fourth specified synchronization information may refer to the authorized node through identification information of the authorized node, and in a specific embodiment, when the authorized party corresponding to the authorized node is an enterprise, the identification information of the authorized node may be an enterprise tax payment identification number.

S305: the first blockchain sends the requirement contract information to the authorization node based on the fourth specified synchronization information.

S307: and the authorization node calls a second intelligent contract on the first blockchain to perform authorization verification on the required contract information.

In practical applications, a second intelligent contract may be previously deployed on the first blockchain by any blockchain node on the first blockchain, in this embodiment of the present specification, the second intelligent contract may be a computer protocol that aims to verify that the demand contract information is signed by the service side in an informatization manner, and specifically, the second intelligent contract may be verification code for verifying that the demand contract information is signed by the service side based on a public key (first public key) of the service side on the chain. In a specific embodiment, invoking the second intelligent contract on the first blockchain to perform authorization verification on the demand contract information may include: acquiring a first public key and service identification information of a service node from a first blockchain; performing identity verification on the service node based on the first public key and the service identification information of the service node acquired from the first blockchain and the first public key and the service identification information of the service node in the authorization contract information; and under the condition that the identity of the service node passes the verification, verifying the signature of the service party in the requirement contract information by using the first public key of the service node, wherein the signature of the service party represents the signature information of the service party on the associated requirement information of the target service.

In a specific embodiment, the verifying the server side signature in the demand contract information by using the first public key of the service node may include decrypting the server side signature by using an algorithm (a preset encryption algorithm) corresponding to the first public key and an algorithm identifier in the demand contract information, comparing the decrypted data with the associated demand information in the demand contract information, and if the decrypted data is consistent with the associated demand information in the demand contract information, determining that the server side signature passes the verification; otherwise, if the decrypted data is inconsistent with the associated requirement information in the requirement contract information, the signature of the service party is not verified.

Correspondingly, when the signature of the service party passes the verification, the authorization verification of the requirement contract information is determined to pass, that is, the requirement contract information is authorized to be signed by the service party.

S309: and under the condition that the authorization verification is passed, the authorization node determines the associated authorization information of the target service based on the requirement contract information.

In a specific embodiment, the authorizing node determines the associated authorization information of the target service based on the requirement contract information, and may include using the authorization attribute information of the authorizer, the server signature in the requirement contract information, and the associated requirement information of the target service as the associated authorization information of the target service.

In the embodiment of the present specification, the authorization attribute information of the authorization party can represent that the authorization service party obtains authorization information related to data required by the service party; in an alternative embodiment, the authorization attribute information of the authorizer may include identification information of the authorizer, an algorithm identification (identification information of a preset encryption algorithm), a first public key of the authorizer, a contract authorization time (i.e., a contract validation start time), and a contract validity period. Optionally, in order to facilitate subsequent expansion of more authorization information, the authorization attribute information may further include expandable information.

In an alternative embodiment, the uplink of the authorization contract information may be performed by the authorizing node, that is, the authorizing node may send the authorization contract information to any blockchain node on the first blockchain. Correspondingly, the authorizing party corresponding to the authorizing node provides an authorizing and signing interface for signing the associated authorization information related to the target service initiated by the authorizing party in the application service layer, and correspondingly, the authorizing party can sign the associated authorization information of the target service based on the second private key in the authorizing and signing interface to generate the authorization contract information. Accordingly, an authorizer (specifically, a server of the authorizer) of the application service layer may transmit the authorization contract information to the authorization node.

In an alternative embodiment, the uplink of the authorization contract information may be completed by the service node, that is, the service node may send the authorization contract information to any blockchain node on the first blockchain. Correspondingly, a service party corresponding to the service node provides a service platform on an application service layer for an authorized party to initiate a service request; after the authorizer initiates a service request, the service party provides an authorization signing interface for signing associated authorization information related to the target service initiated by the authorizer in an application service layer, and correspondingly, the authorizer can sign the associated authorization information of the target service based on the second private key in the authorization signing interface to generate authorization contract information. Accordingly, a service side (specifically, a server of the service side) of the application service layer may transmit the authorization contract information to the service node.

In a specific embodiment, signing the associated authorization information of the target service based on the second private key, and generating the authorization contract information may include: encrypting the associated authorization information of the target service by using a second private key and a preset encryption algorithm to obtain encrypted associated authorization information, wherein the encrypted associated authorization information can be used as an authorization party signature; and then, the signature of the authorizer and the associated authorization information of the target service are taken as the authorization contract information.

In a specific embodiment, as shown in expression 1, table 1 is an example of one type of authorization contract information (included fields) provided in the embodiments of the present specification and a corresponding description.

TABLE 1

Field(s)	Description of the invention
		Version number	Contract version number
Service party ID	ID of server in first block chain
		Service ID of service party	Service ID provided by service provider
Service side public key	Public key applied by server in first blockchain
		Data range	Data range to be synchronized by an authorized party to a service party
Frequency of data transmission	Period of authorization data
		Service party signature	The server signs the fields by using the private key of the server to obtain
Authorizer ID	Tax identification number
		Algorithm identification	Identification of a pre-set encryption algorithm
Authorizer public key	Public key applied by authorized party in first blockchain
		Time of authorization	Contract effective time
Period of validity of contract	Data range to be synchronized by an authorized party to a financial institution
		Authorizer signature	The authorizing party signs the fields by using the private key of the authorizing party to obtain

In the embodiment of the present specification, the chain of the authorization contract information obtained by signing the second private key based on the authorizer can ensure forgery prevention and open verification in the subsequent authorization process, and can ensure that the authorization process is not falsified and traceable by using the block chain.

S203: the first blockchain transmits the authorization contract information to the authorization data providing node based on the first specified synchronization information.

In this embodiment, the first blockchain may send, in combination with the first specified synchronization information, the authorization contract information on the chain to the data synchronizer (authorized data providing node) pointed by the first specified synchronization information.

S205: and the authorization data providing node calls the first intelligent contract on the first blockchain to carry out authorization verification on the authorization contract information.

In practical applications, a first intelligent contract may be pre-deployed on a first blockchain by any blockchain node on the first blockchain, in this embodiment, the first intelligent contract may be a computer protocol aiming to verify that the authorization contract information is signed by an authorizer in an informatization manner, and specifically, the first intelligent contract may be a verification code for verifying that the authorization contract information is signed by the authorizer based on a public key (second public key) of the authorizer on the chain.

In a specific embodiment, as shown in fig. 4, the authorizing data providing node invoking the first intelligent contract on the first blockchain to perform authorization verification on the authorizing contract information may include:

s401: the authorization data providing node acquires a first public key and service identification information of the service node from the first blockchain;

s403: the authorization data providing node performs identity verification on the service node based on the first public key and the service identification information of the service node acquired from the first blockchain and the first public key and the service identification information of the service node in the authorization contract information;

specifically, if the first public key and the service identification information of the service node acquired from the first blockchain are respectively consistent with the first public key and the service identification information of the service node in the authorization contract information, it may be determined that the identity verification of the service node passes. On the contrary, if the first public key of the service node acquired from the first blockchain is not consistent with the first public key of the service node in the authorization contract information, or the service identification information of the service node acquired from the first blockchain is not consistent with the service identification information of the service node in the authorization contract information, it may be determined that the identity verification of the service node fails.

S405: under the condition that the identity of the service node passes the verification, the authorization data providing node verifies the signature of the service party in the authorization contract information by using the first public key of the service node, and the signature of the service party represents the signature information of the associated demand information of the service party to the target service;

s407: under the condition that the signature of the server passes the verification, the authorization data providing node acquires a second public key and service identification information of the authorization node from the first block chain;

s409: the authorization data providing node performs identity verification on the authorization node based on the second public key and the service identification information of the authorization node acquired from the first blockchain and the second public key and the service identification information of the authorization node in the authorization contract information;

specifically, if the second public key and the service identification information of the authorization node acquired from the first blockchain are respectively consistent with the second public key and the service identification information of the authorization node in the authorization contract information, it may be determined that the identity verification of the authorization node passes. On the contrary, if the second public key of the authorization node acquired from the first blockchain is not consistent with the second public key of the authorization node in the authorization contract information, or the service identification information of the authorization node acquired from the first blockchain is not consistent with the service identification information of the authorization node in the authorization contract information, it can be determined that the identity verification of the authorization node fails.

S411: under the condition that the identity verification of the authorization node passes, the authorization data providing node verifies the signature of the authorizer in the authorization contract information by using a second public key of the authorization node, and the signature of the authorizer represents the signature information of the authorizer to the associated authorization information;

in this embodiment of the present specification, the specific step of verifying the signature of the authorizer in the authorization contract information by using the second public key of the authorizing node may refer to the specific step of verifying the signature of the service provider, which is not described herein again.

S413: when the signature of the authorized party passes the verification, the authorized data providing node performs contract validity verification based on the contract validity period in the authorized contract information;

and determining that the authorization verification is passed under the condition that the contract validity check is passed.

In the embodiment of the specification, the authorization verification is performed by combining the block chain, so that the authorization verification of the user by other parties except the service party can be realized, the tampering and traceability of the authorization process are effectively ensured, and the security of the user data of the authorization party is improved.

S207: and under the condition that the authorization verification is passed, the authorization data providing node sends authorization data corresponding to the authorization contract information to the first block chain.

In this embodiment of the present specification, the authorization data may carry second specified synchronization information, where the second specified synchronization information is used to specify that the authorization data is synchronized to the service node.

In an optional embodiment, in order to ensure privacy and security of the authorization, data that can be published to other participants on the chain (second blockchain) may be directly linked up, and data that cannot be published to other participants on the chain (second blockchain) except for the service node may be encrypted with a digital envelope technology to ensure that only the service node can unlock, for example, the authorization data is encrypted by using a first public key corresponding to the service node, and correspondingly, only the service node having the first private key may decrypt to obtain the authorization data.

S209: the first blockchain sends authorization data to the service node based on the second specified synchronization information.

In this embodiment, the first blockchain may send, in combination with the second specified synchronization information, the authorization data in the chain to the data synchronizer (service node) pointed by the second specified synchronization information.

In other embodiments, as shown in fig. 5, the method may further include:

s211: the serving node processes the target traffic based on the authorization data.

In some embodiments, the authorization contract information may further carry third designated synchronization information, where the third designated synchronization information may be used to designate that the authorization contract information is synchronized to the supervisory node; correspondingly, the method may further include:

the first block chain synchronizes the authorization contract information to the supervision node based on the third specified synchronization information;

after the first blockchain synchronizes the authorization data to the serving node, the method further comprises:

and the supervision node calls the first intelligent contract to carry out authorization verification on the authorization contract information.

In this embodiment of the present specification, the specific step of the supervision node invoking the first intelligent contract to perform authorization verification on the authorization contract information may refer to the specific step of the authorization data provider invoking the first intelligent contract to perform authorization verification on the authorization contract information, which is not described herein again.

In this embodiment of the present specification, after the first blockchain synchronizes the authorization data to the service node, the supervisory node invokes the first intelligent contract to check whether the authorization of the user (authorizer) has been passed in the process of obtaining the authorization data by the service party. By deploying the first intelligent contract on the chain, the authorization of the user can be verified at a plurality of block chain nodes of the second block chain, the authorization process can be better guaranteed to be not falsified and traceable, and the security of the user data of the authorization party is improved.

As can be seen from the technical solutions provided by the embodiments of the present specification, the present specification links the authorization contract information obtained by signing based on the private key of the authorizer, so as to ensure anti-counterfeiting and open verification in the authorization process, and verify the authorization contract information by using the first intelligent contract deployed on the blockchain, so as to achieve verification of authorization of the user by other participating nodes on the blockchain, ensure that the user is authorized when the authorization data providing node provides the authorization data, achieve that the server obtains the data according to the authorization, and the authorization flow of the whole data passes through the blockchain, each operation of each participating node is linked to the blockchain, ensure that the data obtained by each authorization can be traced and cannot be tampered in the whole process, and greatly improve the security of the user data.

A data authorization method based on a blockchain according to the present application is described below from the perspective of a first blockchain (specifically, any blockchain node accessing the first blockchain), and as shown in fig. 6, the method may include:

s601: acquiring authorization contract information generated by an authorizer signing the associated authorization information of the target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer; the authorization contract information carries first designated synchronization information, and the first designated synchronization information is used for designating the authorization contract information to be synchronized to an authorization data providing node;

s603: sending the authorization contract information to the authorization data providing node based on the first specified synchronization information so that the authorization data providing node invokes a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

s605: receiving authorization data corresponding to the authorization contract information sent by the authorization data providing node under the condition that authorization verification is passed, wherein the authorization data carries second specified synchronous information, and the second specified synchronous information is used for specifying that the authorization data are synchronized to the service node;

s607: sending the authorization data to the serving node based on the second specified synchronization information.

Optionally, the authorization contract information further carries third designated synchronization information, where the third designated synchronization information is used to designate that the authorization contract information is synchronized to a supervisory node; the method further comprises the following steps:

and sending the authorization contract information to the supervision node based on the third specified synchronization information, so that after the authorization data is sent to the service node based on the second specified synchronization information, the supervision node calls the first intelligent contract to perform authorization verification on the authorization contract information.

Optionally, the method further includes:

receiving demand contract information which is sent by the service node and generated by a service party corresponding to the service node based on a first private key to sign the associated demand information of the target service; the requirement contract information carries fourth appointed synchronous information, and the fourth appointed synchronous information is used for appointing to synchronize the requirement contract information to the authorization node; the first private key is a private key which is applied by the service node in a first block chain and identifies the identity of a service party corresponding to the service node;

sending the requirement contract information to the authorization node based on the fourth specified synchronization information so that the authorization node invokes a second intelligent contract on the first blockchain to perform authorization verification on the requirement contract information; and under the condition that the authorization verification is passed, the authorization node determines the associated authorization information of the target service based on the requirement contract information.

Optionally, the obtaining of the authorization contract information includes:

receiving authorization contract information sent by the service node;

or the like, or, alternatively,

and receiving the authorization contract information sent by the authorization party.

A block chain-based data authorization method according to the present application is described below from the perspective of an authorization data providing node, and as shown in fig. 7, the method may include:

s701: acquiring authorization contract information from the first blockchain, wherein the authorization contract information is generated by an authorizer based on the associated authorization information of the second private key signing target service; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

s703: calling a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

s705: sending authorization data corresponding to the authorization contract information to the first block chain under the condition that authorization verification is passed, wherein the authorization data carries second specified synchronous information, and the second specified synchronous information is used for specifying that the authorization data is synchronized to the service node; such that the first blockchain sends the grant data to the serving node based on the second specified synchronization information.

Optionally, the invoking a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information includes:

acquiring a first public key and service identification information of the service node from the first blockchain;

performing identity verification of the service node based on the first public key and the service identification information of the service node acquired from the first blockchain and the first public key and the service identification information of the service node in the authorization contract information;

under the condition that the identity of the service node passes the verification, verifying a server signature in the authorization contract information by using a first public key of the service node, wherein the server signature represents signature information of the server for the associated demand information of the target service;

under the condition that the signature of the server passes verification, acquiring a second public key and service identification information of the authorization node from the first block chain;

performing identity verification of the authorization node based on the second public key and the service identification information of the authorization node acquired from the first blockchain and the second public key and the service identification information of the authorization node in the authorization contract information;

under the condition that the identity verification of an authorization node is passed, verifying an authorizer signature in the authorization contract information by using a second public key of the authorization node, wherein the authorizer signature represents the signature information of the authorizer to the associated authorization information;

when the signature of the authorizer passes the verification, performing contract validity verification based on a contract validity period in the authorization contract information;

A block chain based data authorization method according to the present application is introduced from the perspective of a service node, and as shown in fig. 8, the method may include:

s801: acquiring authorization contract information generated by an authorizer signing the associated authorization information of the target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

s803: sending the authorization contract information to the first block chain, wherein the authorization contract information carries first specified synchronization information, and the first specified synchronization information is used for specifying that the authorization contract information is synchronized to an authorization data providing node; so that the first blockchain transmits the authorization contract information to the authorization data providing node based on the first specified synchronization information; enabling the authorization data providing node to call a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information, and under the condition that the authorization verification is passed, the authorization data providing node sends authorization data corresponding to the authorization contract information to the first blockchain, wherein the authorization data carries second specified synchronization information, and the second specified synchronization information is used for specifying that the authorization data are synchronized to the service node;

s805: receiving the authorization data sent by the first blockchain based on the second specified synchronization information.

The method in the above method embodiment written from one side is based on the same application concept as the above interaction method embodiment, and specific details can be referred to the above interaction method embodiment.

The present application further provides a data authorization system based on a block chain, the system including: the system comprises a first block chain, a service node and an authorization data providing node;

Optionally, the system further includes: monitoring nodes; the authorization contract information also carries third specified synchronous information, and the third specified synchronous information is used for specifying the synchronization of the authorization contract information to a supervision node;

the first blockchain is further configured to send the authorization contract information to the supervisory node based on the third specified synchronization information;

the supervision node is used for calling the first intelligent contract to carry out authorization verification on the authorization contract information after the authorization data providing node sends the authorization data to the service node based on the second specified synchronous information.

An embodiment of the present application further provides a data authorization apparatus based on a block chain, as shown in fig. 9, the apparatus includes:

a first authorization contract information obtaining module 910, configured to obtain authorization contract information, where the authorization contract information is generated by an authorizer signing associated authorization information of a target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer; the authorization contract information carries first designated synchronization information, and the first designated synchronization information is used for designating the authorization contract information to be synchronized to an authorization data providing node;

a first authorization contract information sending module 920, configured to send the authorization contract information to the authorization data providing node based on the first specified synchronization information, so that the authorization data providing node invokes a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

a first authorization data receiving module 930, configured to receive authorization data corresponding to the authorization contract information sent by the authorization data providing node when authorization verification passes, where the authorization data carries second specified synchronization information, and the second specified synchronization information is used to specify that the authorization data is synchronized to the service node;

a first authorization data sending module 940, configured to send the authorization data to the serving node based on the second specified synchronization information.

Optionally, the authorization contract information further carries third designated synchronization information, where the third designated synchronization information is used to designate that the authorization contract information is synchronized to a supervisory node; the device further comprises:

and the second authorization contract information sending module is used for sending the authorization contract information to the supervision node based on the third specified synchronization information, so that after the authorization data is sent to the service node based on the second specified synchronization information, the supervision node calls the first intelligent contract to carry out authorization verification on the authorization contract information.

Optionally, the apparatus further comprises:

the demand contract information receiving module is used for receiving demand contract information which is sent by the service node and generated by a service party corresponding to the service node based on a first private key to sign the correlation demand information of the target service; the requirement contract information carries fourth appointed synchronous information, and the fourth appointed synchronous information is used for appointing to synchronize the requirement contract information to the authorization node; the first private key is a private key which is applied by the service node in a first block chain and identifies the identity of a service party corresponding to the service node;

a first requirement contract information sending module, configured to send the requirement contract information to the authorization node based on the fourth specified synchronization information, so that the authorization node invokes a second intelligent contract on the first blockchain to perform authorization verification on the requirement contract information; and under the condition that the authorization verification is passed, the authorization node determines the associated authorization information of the target service based on the requirement contract information.

Optionally, the first authorization contract information obtaining module includes:

a first authorization contract information receiving unit, configured to receive authorization contract information sent by the service node;

or the like, or, alternatively,

and the second authorization contract information receiving unit is used for receiving the authorization contract information sent by the authorizer.

An embodiment of the present application further provides a data authorization apparatus based on a block chain, as shown in fig. 10, the apparatus includes:

a second authorization contract information obtaining module 1010, configured to obtain authorization contract information from the first blockchain, where the authorization contract information is generated by an authorizer signing associated authorization information of a target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

an authorization verification module 1020, configured to invoke a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information;

a second authorization data sending module 1030, configured to send authorization data corresponding to the authorization contract information to the first block chain when authorization verification passes, where the authorization data carries second specified synchronization information, and the second specified synchronization information is used to specify that the authorization data is synchronized to the service node; such that the first blockchain sends the grant data to the serving node based on the second specified synchronization information.

Optionally, the authorization verification module includes:

a first information obtaining unit, configured to obtain a first public key and service identification information of the service node from the first blockchain;

the first identity verification unit is used for verifying the identity of the service node based on the first public key and the service identification information of the service node acquired from the first blockchain and the first public key and the service identification information of the service node in the authorization contract information;

the server side signature verification unit is used for verifying a server side signature in the authorization contract information by using a first public key of the service node under the condition that the identity verification of the service node passes, wherein the server side signature represents the signature information of the server side for the associated demand information of the target service;

a second information obtaining unit, configured to obtain, from the first blockchain, a second public key and service identification information of the authorization node when the server side signature passes verification;

the second identity verification unit is used for verifying the identity of the authorization node based on the second public key and the service identification information of the authorization node acquired from the first blockchain and the second public key and the service identification information of the authorization node in the authorization contract information;

the authorizer signature verifying unit is used for verifying an authorizer signature in the authorization contract information by using a second public key of an authorizing node under the condition that the identity verification of the authorizing node passes, wherein the authorizer signature represents the signature information of the authorizer on the associated authorization information;

the contract validity checking unit is used for checking the contract validity based on the contract validity period in the authorization contract information when the signature of the authorizer passes the checking;

An embodiment of the present application further provides a data authorization apparatus based on a block chain, as shown in fig. 11, the apparatus includes:

a second authorization contract information obtaining module 1110, configured to obtain authorization contract information, where the authorization contract information is generated by an authorizer signing associated authorization information of a target service based on a second private key; the second private key is a private key which is applied by an authorization node corresponding to the authorizer in the first blockchain and identifies the identity of the authorizer;

a third authorization contract information sending module 1120, configured to send the authorization contract information to the first block chain, where the authorization contract information carries first specified synchronization information, and the first specified synchronization information is used to specify that the authorization contract information is synchronized to an authorization data providing node; so that the first blockchain transmits the authorization contract information to the authorization data providing node based on the first specified synchronization information; enabling the authorization data providing node to call a first intelligent contract on the first blockchain to perform authorization verification on the authorization contract information, and under the condition that the authorization verification is passed, the authorization data providing node sends authorization data corresponding to the authorization contract information to the first blockchain, wherein the authorization data carries second specified synchronization information, and the second specified synchronization information is used for specifying that the authorization data are synchronized to the service node;

a second authorization data receiving module 1130, configured to receive the authorization data sent by the first blockchain based on the second specified synchronization information.

The apparatus and method embodiments in the apparatus embodiments described above are based on the same application concept, and specific details can be found in the method embodiments described above.

The embodiment of the present application provides a data authorization device based on a blockchain, where the data authorization device based on a blockchain includes a processor and a memory, where the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the data authorization method based on a blockchain provided in the foregoing method embodiment.

The memory may be used to store software programs and modules, and the processor may execute various functional applications and data processing by operating the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the apparatus, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.

Embodiments of the present application further provide a computer-readable storage medium, where the storage medium may be disposed in a device to store at least one instruction related to implementing a block chain based data authorization method in the method embodiments, or at least one program, where the at least one instruction or the at least one program is loaded and executed by a processor to implement the block chain based data authorization method provided in the method embodiments.

Alternatively, in this embodiment, the storage medium may be located in at least one network server of a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, which can store program codes.

The method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal, a server or a similar operation device. Taking the example of running on a server, fig. 12 is a hardware structure block diagram of a server implementing a data authorization method based on a blockchain according to an embodiment of the present application. As shown in fig. 12, the server 1200 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1210 (the processors 1210 may include but are not limited to Processing devices such as a microprocessor MCU or a programmable logic device FPGA), a memory 1230 for storing data, and one or more storage media 1220 (e.g., one or more mass storage devices) for storing applications 1223 or data 1222. Memory 1230 and storage media 1220, among other things, may be transient storage or persistent storage. The program stored in the storage medium 1220 may include one or more modules, each of which may include a series of instruction operations for a server. Further, the central processor 1210 may be configured to communicate with the storage medium 1220, and execute a series of instruction operations in the storage medium 1220 on the server 1200. The Server 1200 may also include one or more power supplies 1260, one or more wired or wireless network interfaces 1250, one or more input-output interfaces 1240, and/or one or more operating systems 1221, such as Windows Server^TM，Mac OS X^TM，Unix^TM,Linux^TM，FreeBSD^TMAnd so on.

The input output interface 1240 may be used to receive or transmit data over a network. The specific example of the network described above may include a wireless network provided by a communication provider of the server 1200. In one example, the input/output Interface 1240 includes a Network Interface Controller (NIC) that may be coupled to other Network devices via a base station to communicate with the internet. In one example, the input/output interface 1240 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

It will be understood by those skilled in the art that the structure shown in fig. 12 is only an illustration and is not intended to limit the structure of the electronic device. For example, server 1200 may also include more or fewer components than shown in FIG. 12, or have a different configuration than shown in FIG. 12.

The embodiments of the method, the apparatus, the system, the device, the server or the storage medium for data authorization based on the blockchain provided by the present application can be seen in that the authorization contract information is linked by signing based on the private key of the authorizer, so that forgery prevention and open verification in the authorization process can be ensured, the authorization contract information is verified by using the first intelligent contract deployed on the blockchain, the user authorization can be verified by other participating nodes on the blockchain, it is ensured that the user is authorized when the authorization data providing node provides the authorization data, the service party obtains the data according to the authorization, the authorization flow of the whole data is linked to the blockchain through the blockchain, each operation of each participating node is linked to the blockchain, it is ensured that the whole process of obtaining the authorization data can be traced and cannot be tampered, and the security of the user data is greatly improved.

It should be noted that: the sequence of the embodiments of the present application is only for description, and does not represent the advantages and disadvantages of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus and the server, the description is simple because they are basically similar to the embodiments of the method, and the relevant points can be referred to the partial description of the embodiments of the method.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware to implement the above embodiments, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk, an optical disk, or the like.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1. A method for data authorization based on block chains, the method comprising:

2. The method according to claim 1, wherein the authorization contract information further carries third designated synchronization information, and the third designated synchronization information is used for designating synchronization of the authorization contract information to a supervisory node; the method further comprises the following steps:

3. The method of claim 1, further comprising:

4. The method according to any one of claims 1 to 3, wherein the obtaining of the authorization contract information comprises:

receiving authorization contract information sent by the service node;

or the like, or, alternatively,

5. A method for data authorization based on block chains, the method comprising:

6. The method of claim 5, wherein the invoking the first smart contract on the first blockchain to perform authorization verification on the authorization contract information comprises:

7. A data authorization system based on blockchains, the system comprising: the system comprises a first block chain, a service node and an authorization data providing node;

8. The system of claim 7, further comprising: monitoring nodes; the authorization contract information also carries third specified synchronous information, and the third specified synchronous information is used for specifying the synchronization of the authorization contract information to a supervision node;

9. An apparatus for data authorization based on block chains, the apparatus comprising:

10. An apparatus for data authorization based on block chains, the apparatus comprising: