CN112671580B - QAR data management method based on blockchain technology - Google Patents
QAR data management method based on blockchain technology Download PDFInfo
- Publication number
- CN112671580B CN112671580B CN202011545224.2A CN202011545224A CN112671580B CN 112671580 B CN112671580 B CN 112671580B CN 202011545224 A CN202011545224 A CN 202011545224A CN 112671580 B CN112671580 B CN 112671580B
- Authority
- CN
- China
- Prior art keywords
- data
- organization
- network
- key
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000005516 engineering process Methods 0.000 title claims abstract description 14
- 238000013523 data management Methods 0.000 title claims abstract description 13
- 230000008520 organization Effects 0.000 claims abstract description 102
- 238000007726 management method Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims abstract description 33
- 238000013461 design Methods 0.000 claims abstract description 18
- 238000010276 construction Methods 0.000 claims abstract description 13
- 230000007246 mechanism Effects 0.000 claims abstract description 12
- 238000002955 isolation Methods 0.000 claims abstract description 10
- 230000008569 process Effects 0.000 claims abstract description 6
- 238000012937 correction Methods 0.000 claims abstract description 4
- 238000003860 storage Methods 0.000 claims description 33
- 230000003993 interaction Effects 0.000 claims description 19
- 238000013500 data storage Methods 0.000 claims description 12
- 239000004744 fabric Substances 0.000 claims description 12
- 238000013475 authorization Methods 0.000 claims description 8
- 238000011161 development Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 4
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 230000008676 import Effects 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 2
- 238000006243 chemical reaction Methods 0.000 claims description 2
- 238000012790 confirmation Methods 0.000 claims description 2
- 238000009826 distribution Methods 0.000 claims description 2
- 238000005457 optimization Methods 0.000 claims description 2
- 230000004927 fusion Effects 0.000 abstract description 3
- 238000012856 packing Methods 0.000 abstract 1
- 230000000875 corresponding effect Effects 0.000 description 23
- 230000000295 complement effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A QAR data management method based on a blockchain technology relates to the blockchain technology and aviation information management. The architecture is a resource layer, a network layer and an application layer from bottom to top; different organizations are used for bearing different tasks in the network layer design, even if a private key of identity authentication of a certain organization is revealed, certificates issued by a CA in the middle of the organization are only influenced, and meanwhile, a more flexible and fine-grained sensitive data protection mechanism is adopted, so that the influence on network performance in coarse-grained modes such as channel isolation and the like is avoided; the resource layer ensures the safety of data through the correction dividing and packing mode of the data processing module to the data and the identity authentication mechanism of the identity management module, and IPFS is introduced to further reduce the block chain network pressure; the application layer is directly oriented to users with different authorities under each organization, so that data sharing among the organizations is realized. The method effectively solves the problems of data fusion, equipment safety, information protection, multi-main body coordination and the like in the construction process of the QAR data management system.
Description
Technical Field
The invention relates to the field of blockchain technology and aviation information management, in particular to a QAR data management method based on the blockchain technology.
Background
The rapid development of modern civil aviation industry puts higher demands on the safety of aviation information storage, and aviation information storage technology is regarded as an important means for guaranteeing the air traffic safety and has been paid attention for a long time. In addition, factors influencing aviation safety are found out by analyzing effective data based on massive aviation information, and the value behind deep mining of data is also of great concern, but the factors are based on the safety and credibility of the aviation information.
The traditional aviation information management mode can be classified into the following modes, namely, one mode is to realize safe storage of data, each aviation enterprise builds a dedicated data management system, the collected data is stored in a local database, and the problems of data island occurrence and difficult sharing of data among different organizations can be caused; secondly, a trusted centralization mechanism is introduced for facilitating data sharing, the centralization mechanism is responsible for collecting and managing data, and because the centralization mechanism is not transparent enough to a data provider, certain hidden danger can be brought to the privacy of the data, and intentional and unintentional damage or attack by internal personnel cannot be effectively performed; in addition, if the data is stored in a third party trust authority such as a cloud platform, the resource waste and the transmission delay may be generated, because even if personnel in the data providing organization access the data, the cloud is accessed, frequent remote data transmission may generate a certain delay and the resource waste, so that the data maintenance and the platform construction costs are higher.
Aiming at the hidden danger that the data is tampered in the existing centralized aviation information storage mode, and the blockchain is used as an emerging decentralization infrastructure and a distributed computing paradigm, the invention provides a blockchain network structure which is suitable for the current QAR data management method by means of the design structure of a super ledger Fabric platform, and reasonable blockchain network structures are arranged according to different organization authorities through a blockchain technology, so that the problems possibly existing in the storage and data isolation mechanism designed in the prior art are effectively solved.
Disclosure of Invention
The invention aims to solve the problems that the data is unreliable, single-point faults are caused by adopting a centralized storage architecture in common and the data among different organizations are difficult to share in the aviation information storage method designed under the prior art, and provides a QAR data management method based on a blockchain technology.
The management framework of the invention comprises three parts of a resource layer, a network layer and an application layer from bottom to top:
the resource layer is a bottom gateway server device for providing data resources, physical equipment with certain storage and calculation capability is used as a gateway server for processing different data fields in the original QAR data, and the physical equipment is used for completing identity authentication and interaction with a downlink block chain network node of a specific organization of a network layer by applying for the intermediate CA of the specific organization of the network layer to complete further upward transmission of the data;
the network layer is a blockchain network for cooperation and data sharing among multiple organizations built under a super ledger Fabric platform and is used as a storage unit for collecting data uploading of a resource layer and a source layer for data access of a client for data sharing under a distributed network. The account book structure and the chain codes deployed at the endorsement nodes and the accounting nodes of different organizations complete the business logic of data storage and data access, the intermediate CA of different organizations complete the authority control and identity authentication of the nodes of different organizations, and the message queue Raft is utilized to provide ordering service and Gossip protocol to complete optimization of the blockchain network performance, so that the consensus communication and data distribution among the nodes are ensured;
the application layer is a client side built by a web application framework and comprises three layers of data processing, business logic and a data interface, and the functions of inquiring, managing equipment, managing chain codes and managing user rights in the user rights range are completed through interaction of the operation Fabric SDK and the block chain network chain codes.
The invention discloses a QAR data management method based on a blockchain technology, which comprises the following steps:
step 1: building a alliance chain and IPFS network construction among different organization network servers by utilizing the super account Fabric;
in step 1, the alliance chain and IPFS network construction comprises network structure design, chain code design, intermediate CA development and account book content design; the network structure is designed to be deployed by multiple servers in a production environment, the multiple organizations comprise the same data sharing channel, corresponding endorsement and peer confirmation nodes are arranged under each organization, and a Raft ordering mechanism is adopted; the chain code is designed as an important means for isolating sensitive data among organizations, and the channel data isolation in a coarse granularity mode with poor traditional dynamic property is abandoned, a finer granularity sensitive equipment data encryption authorization scheme is designed, and only the chain code or the secret key is updated to change the authorization mode, so that the block chain network pressure is reduced; the intermediate CA is developed into each organization CA node which is issued and authenticated by the root CA node, different organization users realize information registration and identity registration by accessing the organization intermediate CA node, obtain legal certificates and private keys and give the MSP component verification management, and each organization administrator has the authority for registering equipment through the intermediate CA; the account book content design is a storage format of peer node data in a channel, and adopts a key value pair format of < k, v >, wherein a key is an organization ID, a flight ID and a data field ID >, and a vlue is a series of JSON nested format data stored under the key, and the JSON nested format data comprises a data date and an IPFS file address; the IPFS network is used for storing the original QAR data field blocks processed and packaged by the resource layer, and further reduces the blockchain network pressure.
In step 1, the specific steps of building a alliance chain and IPFS network construction between different organization network servers by using the super ledger Fabric are as follows:
(1) Different organizations divide different tasks in the network layer design, and even if a private key of identity authentication of a certain organization is revealed through the middle CA, the certificate issued by the middle CA of the organization is only influenced;
(2) The account book design in the network adopts a key value pair format of < k, v >, wherein the key is an < organization ID, a flight ID and a data field ID >, and vlaue is a series of JSON nested format data stored under the key and comprises a data date and an IPFS file address.
(3) The specific method for adopting a fine-grained data isolation and authorization mode for the sensitive data field comprises the following steps: as shown in fig. 2, the org1 is required to authorize the sensitive data field to be checked by the formal user under the org2, and other organization users in the same channel cannot check the sensitive data field; firstly, when the corresponding storage hash value is uplink after the data is processed by IPFS, a ciphertext is generated by adopting an org1 symmetric encryption mode and the ciphertext 1 is uplink; secondly, encrypting the symmetric encryption key by using an Org2 public key in an asymmetric encryption mode to generate a ciphertext 2 and uploading the ciphertext, wherein the asymmetric encryption public key is obtained from a blockchain network state database; and finally, when the formal user under the Org2 checks the field data of the corresponding sensitive equipment, the secret key of the Org2 is used after identity verification, the chain code is called to decrypt the symmetric key of the corresponding Org1, and the symmetric key decrypts the ciphertext to obtain a plaintext with a stored hash value and returns the plaintext to the application layer.
Step 2: the data providing organization realizes interaction with the network layer IPFS and the blockchain network through the resource layer gateway server to finish the processing and the uplink of the original QAR data;
in step 2, the processing of the original QAR data is finished mainly by using an identity management module in a front-end program and a back-end program of a gateway server to finish identity registration for a user under the current organization by using an administrator identity and store a returned identity certificate in a local database; a user of the data providing organization imports QAR data files of an original database system into the system through front-end and back-end programs of a gateway server, and a data processing module carries out data correction on some abnormal values and missing values existing in the original data by adopting a mean value complementary difference method and carries out division and format conversion according to flight IDs and different data field IDs.
The resource layer gateway server is intra-organization equipment with certain computing and storage capacity, does not belong to a block chain network node, is used as an interface for interaction between the organization and a block chain network, is mainly used for running front-end and back-end programs to finish importing and processing original QAR data, and mainly comprises a data processing module and an identity management module;
the specific method for the resource layer gateway server to finish the uplink of the QAR data after the processing through the interaction with the network layer IPFS and the blockchain network is as follows:
(1) And after the number of the data fields reaches a preset value, the packed data blocks are sent to the IPFS network, the data storage hash value is returned, different data field information is obtained from the identity management module, whether the data fields are sensitive data is judged, and if yes, a symmetric key is further obtained from the identity management module to encrypt the storage hash value. The sensitive data field list can be changed through a client program of the gateway server and stored in the identity management module, and is synchronized with the application layer back-end database;
(2) When the symmetric key generated by the manager through the client program setting of the gateway server is changed, the symmetric key of org1 needs to be acquired from the identity management module again during data uplink, and the encrypted ciphertext 2 is uplink by using the public key of org 2;
(3) The data processing module processes the formatted data according to the branch business logic and account book format requirements in the chain code, and packages and signs the processed uploading data by utilizing the SDK, packages the processed uploading data into a transaction proposal and sends the transaction proposal to an endorsement node in the channel;
(4) And the data processing module stores the returned data transaction hash value in a Web application back-end database through an http request to an application layer server.
Step 3: and utilizing the Fabric SDK and the Web application development framework to develop Web applications to complete data sharing and authority control among all organizations.
In step 3, the Web application mainly completes functions of user management, data query, chain code management and the like within the user authority range; the application can be divided into three types of users, one type is a common user, the second type is a formal user, the third type is an organization administrator, the common user needs the organization administrator to apply identity information to the organization middle CA to become the formal user, then the organization middle CA has the right to view the data, and meanwhile, an identity information table for storing the return information of the CA node is associated with the user table; the formal user or organization administrator obtaining the data inquiry authority sends different types of requests through the client according to the organization ID, the flight ID and the data field ID, after the requests are identified through the Web Server, the Web Server obtains corresponding transaction hash values from the database, interaction with the chain codes is realized through the Fabric SDK, so that the data storage hash values are obtained, and finally, the corresponding data are inquired in the IPFS according to the data storage hash values and returned to the client. For inquiring the field identified as sensitive data, firstly, after acquiring the transaction hash, obtaining a ciphertext 1 encrypted by a data providing organization symmetric key pair storage hash through interaction with a chain code, then, the Web Server initiates a transaction proposal again according to a data object requested by a user to acquire a ciphertext 2 encrypted by the data providing organization symmetric key pair data inquiring organization public key, secondly, the Web Server decrypts the ciphertext 2 by utilizing a data inquiring organization private key to obtain the data providing organization symmetric key, and finally, the symmetric key decrypts the ciphertext 1 to obtain the storage hash, inquires out real data block information from an IPFS and returns.
The working principle of the invention is given below:
the blockchain network built based on the super account book Fabric is a alliance chain formed by negotiations of organizations with different authorities according to actual requirements, and in order to improve the expansibility of the Fabric CA of the production environment and the safety of each organization, each organization has an intermediate CA belonging to a root CA and is respectively responsible for generating public keys and certificates of the orderer ordering organization and each peer node organization.
In actual service demand, facing data uploading of a large number of gateway devices and rich query requests of client users, in order to relieve storage pressure brought by data synchronization data of each endorsement node and accounting node in a channel, the users store identity information acquired after registration is applied for success to an intermediate CA in a corresponding organization in a local gateway server, and the gateway server with certain resource storage and calculation power is used for completing an identity agent; and the CouchDB state database is started, the database index is automatically added when the initialization and the upgrading of the chain code are realized, and meanwhile, the paging inquiry is adopted to relieve the channel pressure and improve the data inquiry efficiency when a user requests the data inquiry through the client web application. In addition, the resource layer data processing module packages and uploads the data quantity of a certain data field to the IPFS network to store real data only after the data quantity reaches a certain preset value, and uploads the returned storage hash value to the blockchain network to further reduce the storage pressure of the blockchain network.
In the aspect of privacy protection, the data provider and the data query party are divided into different organizations, such as org1 and org2, when the org1 needs to link sensitive equipment data, a data encryption and authorization mode with finer granularity is adopted, so that users under the org2 in the same channel can view, and other organizations cannot view the data. The specific mode is that after the sensitive data field of original QAR data imported by org1 reaches a certain amount, the sensitive data field is processed by a data processing module and returned to a stored hash value from an IPFS, the hash value is uplink by utilizing the symmetric key of the org1, and the symmetric key is uplink after being encrypted by the public key of the asymmetric encryption mode of org2 obtained from a network layer. When a user needs to inquire the sensitive data field under the org2, the chain code layer execution logic firstly judges whether the request user organizes the data org2, if so, the ciphertext 1 and the ciphertext 2 corresponding to the data field are returned so as to decrypt the symmetric key of the org1 of the encrypted data, and finally, the corresponding storage hash is decrypted through the symmetric key and returned to the Web Server, and the real data is obtained in the IPFS through the Web Server and returned to the client to complete data sharing.
Compared with the prior art, the invention has the beneficial effects that:
the invention utilizes the non-tamper-resistant mechanism of the block chain data structure and the block chain network decentralization mechanism to realize negotiation among different organizations to construct an enterprise-level alliance chain with authority control, different organizations bear different tasks, even if the identity authentication private key of a certain organization is revealed, the certificate issued by the CA in the middle of the organization is only influenced, and meanwhile, a sensitive data isolation mechanism with more flexibility and fine granularity is adopted. Finally, the block chain network pressure is reduced through a resource layer device data packaging processing mode, an identity certificate management mode and an IPFS, and the problems of data fusion, device safety, information protection, multi-main body coordination and the like in the QAR data management system construction process are effectively solved.
Drawings
FIG. 1 is a schematic flow chart of an embodiment of the present invention;
FIG. 2 is a timing diagram of the upload of org1 sensitive data fields according to the present invention;
FIG. 3 is a timing diagram of query of sensitive data fields of the client org2 according to the present invention.
Detailed Description
The invention will be further illustrated by the following examples in conjunction with the accompanying drawings.
According to fig. 1, the present invention is mainly divided into an application layer, a network layer, and a resource layer. Different organizations are used for bearing different tasks in the network layer design, even if a private key of identity authentication of a certain organization is revealed, certificates issued by a CA in the middle of the organization are only influenced, and meanwhile, a more flexible and fine-grained sensitive data protection mechanism is adopted, so that the influence on network performance in coarse-grained modes such as channel isolation and the like is avoided; the resource layer completes correction division and packaging of data through the data processing module, the identity management module is mainly responsible for guaranteeing the safety of the data for user information management and data key management under organization, and meanwhile IPFS is introduced to further reduce the blockchain network pressure; the application layer is directly oriented to users with different authorities under each organization, so that data sharing among the organizations is realized.
The QAR data management method based on the block chain technology specifically comprises the following steps:
step one: building a alliance chain and IPFS network construction among different organization network servers by utilizing the super account Fabric; firstly, different organizations divide different tasks in network layer design, and even if a private key of identity authentication of a certain organization is revealed, the private key of the identity authentication of the organization is only influenced by the development of the middle CA; secondly, the account book design in the network adopts a key value pair format of < k, v >, wherein the key is an < organization ID, a flight ID and a data field ID >, and vlaue is a series of JSON nested format data stored under the key, and the data field data, the data date and the IPFS file address are stored as a hash. The specific method for adopting the data isolation and authorization mode with fine granularity for the sensitive data field comprises the following steps: as shown in fig. 2, the org1 is required to authorize the sensitive data field to be checked by the formal user under the org2, and other organization users in the same channel cannot check the sensitive data field; firstly, when the corresponding storage hash value is uplink after the data is processed by IPFS, a ciphertext is generated by adopting an org1 symmetric encryption mode and the ciphertext 1 is uplink; secondly, encrypting the symmetric encryption key by using an Org2 public key in an asymmetric encryption mode to generate a ciphertext 2 and uploading the ciphertext, wherein the asymmetric encryption public key is obtained from a blockchain network state database; and finally, when the formal user under the Org2 checks the field data of the corresponding sensitive equipment, the secret key of the Org2 is used after identity verification, the chain code is called to decrypt the symmetric key of the corresponding Org1, and the symmetric key decrypts the ciphertext to obtain a plaintext with a stored hash value and returns the plaintext to the application layer.
Step two: the data sharing organization realizes interaction with the network layer IPFS and the blockchain network through the resource layer gateway server, and finishes processing and uploading the original QAR data; as shown in fig. 2, first, the data processing module under Org1 divides and corrects the data field according to the flight ID and the data type, and stores the data field in the local database, and counts the current number of data in the field, and when the current number of data reaches the predefined data size, immediately packages the data, and stores the data in the IPFS; secondly, acquiring the equipment identity information from an identity management module, and combining information such as flight ID, stored hash value, data date and the like into a form which meets the requirements of network layer account book design; and finally, sending a transaction proposal, uploading the data to obtain a transaction hash value, and storing the transaction hash value in a Web Server back-end database through an http request. And if the data field of the uploading equipment is judged to be a sensitive field, processing the storage hash by adopting the method in the step one.
Step three: and developing Web application by using the Fabric SDK and the Web application development framework to realize data sharing and authority control among all organizations. The common user needs an organization administrator to apply the identity information to the organization intermediate CA to become a formal user before having the right to check the data, and meanwhile, the identity information table is associated with the user table; when the user who acquires the authority inquires data, whether a storage hash address of the data field ID and the data date exists or not is judged through interaction with a chain code according to the information such as the organization ID, the flight ID, the data field ID and the transaction hash, if yes, the user continues to inquire the IPFS to acquire the original data and returns the original data to the application layer. For the query of the sensitive data field, as shown in fig. 3, firstly, after the transaction hash is obtained, the corresponding ciphertext 1 is obtained through interaction with the chain code, the Web Server initiates the transaction proposal again according to the data object requested by the user to obtain the ciphertext 2, secondly, the Web Server decrypts the ciphertext 2 by using the org2 private key to obtain an org1 symmetric key, and finally, the symmetric key decrypts the ciphertext 1 to obtain the storage hash, so that the real data block information is queried from the IPFS and returned.
Specific examples are given below.
The embodiment comprises the following steps:
step one: and building a alliance chain and IPFS network construction among different organization network servers by utilizing the super account Fabric.
1) And completing the deployment and construction of the Fabric network by the multi-server in the production environment according to the network structure design.
a) The blockchain network contains 1 channel for sharing data, a set of orderer nodes for ordering services, 4 Peer nodes belonging to Org1 and Org2 organization in the domain, 2 CA nodes, members of Org1 providing data, members of Org2 acquiring data.
b) And configuring a docker container on which each node runs, completing building of a Fabric environment, and starting a corresponding mirror image service to complete deployment by using a docker-compound.
2) The intermediate CA was developed using the fabric-CA-server service and certificates were issued by different organization users.
a) And each component and user in the designed network generate a certificate, and store the certificate under a catalog corresponding to the node domain name to complete writing of the corresponding yaml file.
b) The root CA issues certificates for the two organizations respectively to complete identity authentication.
c) A configuration file of each orderer, such as orderer0.yaml, is prepared, taking care that a certificate path of a corresponding node is set therein, and core.yaml of each organization peer node is the same.
4) Creating a configtx.yaml file, configuring domain names and port services of organizations in the alliance, setting corresponding blocks and ordering information, generating an creation block and a channel configuration block.
a) And copying the catalogue of the corresponding file generated by each node into a machine where the corresponding node is located.
b) Creating a configtx.yaml file, configuring information such as a alliance organization node block and the like, and generating an created block file by using a configtxgen.
c) The channel file and two organized org1mspanchors. Tx and org2mspanchors. Tx files were generated using a configtxgen.
5) Creating a channel and adding each organization peer node into the channel to build an interactive network.
a) A channel configuration block, mychannel, is created in the [email protected] directory and copied into [email protected].
b) Each peer is added to the channel under Admin users of both organizations and assigned to each organization's anchor peer for external communications.
6) And designing an account book structure, and enabling the couchDB as a state database.
a) The world state in the account book is stored in a state database in the form of key value pairs, wherein the original data is modified and divided to form a key by an organization ID, a flight ID and a data field ID, and the value consists of a corresponding field value, a timestamp and an IPFS file address, namely the key value pairs in the JSON format of a storage hash.
b) And the CouchDB is used as a state database for storing JSON format data and rich queries.
7) The user chain code is written in the go language, and the instantiation chain code is installed.
a) Writing and identifying transaction objects, storing and inquiring different organization public keys, uploading and inquiring common and sensitive service data and the like and waiting service logic chain codes.
b) Taking org1 as an example to share sensitive equipment data with org2 by adopting a fine-granularity data isolation scheme, wherein the user identity and the transaction object need to be distinguished for uploading a sensitive data field, and chain code logic is used for firstly acquiring an org2 latest public key stored in a chain in advance and completing cipher text 1 data uploaded after being symmetrically encrypted by the org1, and then returning transaction hash and org2 organization public keys to a gateway server.
c) The chain code is packaged and signed with the Admin identity of org1, the installation and instantiation of the chain code is switched in each peer, and signed-demo-pack.out is copied to [email protected] for installation once.
Step two: the data sharing organization realizes interaction with the network layer IPFS and the blockchain network through the resource layer gateway server, and finishes processing and uploading the original QAR data.
1) The gateway server back-end program realizes automatic importing and processing of the QAR data of the original database system.
a) An identity management module in the gateway server client program sends a request to the intermediate CA1 of org1 through the administrator identity to register the identity for the user.
b) And after receiving the request, the intermediate CA performs user identity verification, generates an identity certificate for the user after passing the user identity verification, and returns the identity certificate to the identity management module. The identity management module stores the returned identity certificate in a local database.
c) The user of the data sharing organization org1 imports the QAR data file of the original database system into the system through the client program of the gateway server.
d) And the data processing module of the gateway server back-end program corrects the data of some abnormal values and missing values existing in the original data by adopting a mean value complementary difference method, and divides and converts the data into a format according to the flight ID and different data field IDs.
2) And the gateway server back-end program realizes the storage and the uplink of the processed data through interaction with the IPFS and the chain code.
a) As shown in fig. 1, when the number of data fields reaches a preset value, the packed data block is sent to the IPFS network, and the data storage hash value is returned, where the number of data generated in one flight stage of a single flight is taken as the preset value.
b) And acquiring information of different data fields from the identity management module, judging whether the data fields are sensitive data, and if so, further acquiring a symmetric key from the identity management module to encrypt the stored hash value. The sensitive data field list can be changed by the client program of the gateway server and stored in the identity management module, and can be synchronized with the application layer back-end database.
c) When the symmetric key set by the administrator through the client program of the gateway server changes, the symmetric key of org1 needs to be acquired from the identity management module again during data uplink, and the encrypted ciphertext 2 is uplink by using the public key of org2.
d) The data processing module processes the formatted data according to the branch business logic and the account book format requirements in the chain code, and packages and signs the processed uploading data by utilizing the SDK, packages the processed uploading data into a transaction proposal, and sends the transaction proposal to an endorsement node in the channel.
e) And the data processing module stores the returned data transaction hash value in a Web application back-end database through an http request to an application layer server.
Step three: and utilizing the Fabric SDK and the Web application development framework to develop Web applications to complete data sharing and authority control among all organizations.
1) The application layer is directly oriented to users with different authorities and is divided into common users, formal users and organization administrators.
a) The org2 user registers personal information including user name, password and affiliated organization through Web Client, and the Web Server completes user registration and saves the information in a database user table.
b) The user who is successfully registered in the Web Client only has basic information for checking the running state of the blockchain network for the common user, and needs to further submit the right for acquiring the running data of the checking equipment.
c) The organization administrator can manage the users under the organization, and when the organization administrator approves the newly registered user to be a formal user, the organization administrator can apply identity information for the user to the CA node at the same time. The identity certificate returned by the CA node is stored in an identity information table and is associated with a user table in a database.
2) A data query request is performed.
a) As shown in FIG. 3, a formal user or an organization administrator sends different types of requests through a client, firstly, whether the requests are sensitive data is queried from a back-end database, and simultaneously, a Web Server queries user identity information and corresponding transaction hash values from the database in a correlated manner.
b) The Web Server interacts with the chain code through the Fabric SDK to obtain a data storage hash value, and if the data storage hash value is common data inquiry, the corresponding data is inquired in the IPFS according to the data storage hash value and returned to the client.
c) If the sensitive data is to be queried, a transaction proposal is initiated to acquire a ciphertext 2 according to the data object requested by the user, and the org1 symmetric key is decrypted by the org private key so as to analyze the real data block information.
The invention effectively solves the problems of data fusion, information protection, multi-main body coordination and the like in the construction process of the aviation information management system by using the block chain technology.
Claims (1)
1. A QAR data management method based on a blockchain technology is characterized in that a management framework consists of a resource layer, a network layer and an application layer from bottom to top:
the resource layer is a bottom gateway server device for providing data resources, physical equipment with storage and calculation capability is used as a gateway server for processing different data fields in the original QAR data, and the physical equipment is used for completing identity authentication and interaction with a lower blockchain network node of a specific organization of a network layer by applying for the intermediate CA of the specific organization of the network layer to complete further upward transmission of the data;
the network layer is a block chain network for cooperation and data sharing among multiple organizations built under a super ledger Fabric platform, and is used as a storage unit for collecting data uploading of a resource layer and a source layer for data access of a client for data sharing under a distributed network; the account book structure and the chain codes deployed at the endorsement nodes and the accounting nodes of different organizations complete the business logic of data storage and data access, the intermediate CA of different organizations complete the authority control and identity authentication of the nodes of different organizations, and the message queue Raft is utilized to provide ordering service and Gossip protocol to complete optimization of the blockchain network performance, so that the consensus communication and data distribution among the nodes are ensured;
the application layer is a client side built by a web application framework and comprises three layers of data processing, business logic and a data interface, and the functions of inquiring, managing equipment, managing chain codes and managing user rights in the user rights range are completed through the interaction of the operation Fabric SDK and the block chain network chain codes;
the QAR data management method based on the block chain technology specifically comprises the following steps:
step one: building a alliance chain and IPFS network construction among different organization network servers by utilizing the super account Fabric;
the alliance chain and IPFS network construction comprises network structure design, chain code design, intermediate CA development and account book content design; the network structure is designed to be deployed by multiple servers in a production environment, the multiple organizations comprise the same data sharing channel, corresponding endorsement and peer confirmation nodes are arranged under each organization, and a Raft ordering mechanism is adopted; the chain code is designed as an important means for isolating sensitive data among organizations, and the channel data isolation in a coarse granularity mode with poor traditional dynamic property is abandoned, a finer granularity sensitive equipment data encryption authorization scheme is designed, and only the chain code or the secret key is updated to change the authorization mode, so that the block chain network pressure is reduced; the intermediate CA is developed into each organization CA node which is issued and authenticated by the root CA node, different organization users realize information registration and identity registration by accessing the organization intermediate CA node, obtain legal certificates and private keys and give the MSP component verification management, and each organization administrator has the authority for registering equipment through the intermediate CA; the account book content is designed into a storage format of peer node data in a channel, and adopts a key value pair format of < k, v >, wherein a key is an organization ID, a flight ID and a data field ID, and a vlue is a series of JSON nested format data stored under the key and comprises a data date and an IPFS file address; the IPFS network is used for storing the original QAR data field blocks processed and packed by the resource layer, so that the pressure of the blockchain network is further reduced;
the specific steps of constructing a alliance chain and IPFS network construction among different organization network servers by utilizing the super account book Fabric are as follows:
(1) Different organizations divide different tasks in the network layer design, and even if a private key of identity authentication of a certain organization is revealed through the middle CA, the certificate issued by the middle CA of the organization is only influenced;
(2) The account book design in the network adopts a key value pair format of < k, v >, wherein the key is an < organization ID, a flight ID and a data field ID >, and vlaue is a series of JSON nested format data stored under the key and comprises a data date and an IPFS file address;
(3) The specific method for adopting a fine-grained data isolation and authorization mode for the sensitive data field comprises the following steps: requiring org1 to authorize sensitive data fields to be checked by formal users under org2, and other organization users in the same channel cannot check the sensitive data fields; firstly, when the corresponding storage hash value is uplink after the data is processed by IPFS, a ciphertext 1 is generated by adopting an org1 symmetric encryption mode, and the ciphertext 1 is uplink; secondly, encrypting the symmetric encryption key by using an org2 public key in an asymmetric encryption mode to generate a ciphertext 2 and uploading the ciphertext, wherein the asymmetric encryption public key is obtained from a blockchain network state database; finally, when a formal user under the org2 checks the field data of the corresponding sensitive equipment, the secret key of the org2 is used after identity verification, a chain code is called to decrypt a symmetric key of the corresponding org1, and a ciphertext is decrypted by the symmetric key to obtain a plaintext with a stored hash value and returned to an application layer;
step two: the data providing organization realizes interaction with the network layer IPFS and the blockchain network through the resource layer gateway server to finish the processing and the uplink of the original QAR data;
the specific method for the resource layer gateway server to finish the uplink of the QAR data after the processing through the interaction with the network layer IPFS and the blockchain network is as follows:
(1) When the number of QAR data fields reaches a preset value, packaging the data blocks, sending the data blocks to an IPFS network, returning data storage hash values, acquiring information of different data fields from an identity management module, judging whether the data fields are sensitive data, and if so, further acquiring a symmetric key from the identity management module to encrypt the storage hash values; the sensitive data field list is changed through a client program of the gateway server and stored in the identity management module, and is synchronized with the application layer back-end database;
(2) When the symmetric key generated by the manager through the client program setting of the gateway server is changed, the symmetric key of org1 needs to be acquired from the identity management module again during data uplink, and the encrypted ciphertext 2 is uplink by using the public key of org 2;
(3) The data processing module processes the formatted data according to the branch business logic and account book format requirements in the chain code, and packages and signs the processed uploading data by utilizing the SDK, packages the processed uploading data into a transaction proposal and sends the transaction proposal to an endorsement node in the channel;
(4) The data processing module stores the returned data transaction hash value in a Web application back-end database through an http request to an application layer server;
the processing of the finished original QAR data is finished by using an identity management module in a front-end program and a back-end program of a gateway server to finish identity registration for a user under the current organization by using an administrator identity and store a returned identity certificate in a local database; a user of the data providing organization imports QAR data files of an original database system into the system through front and rear end programs of a gateway server, and a data processing module carries out data correction on some abnormal values and missing values existing in the original data by adopting a mean value compensation method and carries out division and format conversion according to flight IDs and different data field IDs;
the resource layer gateway server is intra-organization equipment with certain computing and storage capacity, does not belong to a block chain network node, is used as an interface for interaction between the organization and a block chain network, and is used for running a relay program to complete data acquisition and processing of bottom equipment, and comprises a data processing module and an identity management module;
step three: utilizing Fabric SDK and Web application development framework to develop Web application to complete data sharing and authority control among organizations;
the Web application completes the functions of user management, data query and chain code management in the user authority range; the application is divided into three types of users, one type is a common user, the second type is a formal user, the third type is an organization administrator, the common user needs the organization administrator to apply identity information to the organization middle CA to become the formal user, then the organization middle CA has the right to view the data, and meanwhile an identity information table for storing the return information of the CA node is associated with the user table; a formal user or an organization administrator who obtains the data query authority sends different types of requests through a client according to an organization ID, a flight ID and a data field ID, after the requests are identified through a Web Server, the Web Server obtains corresponding transaction hash values from a database, interaction with a chain code is realized through a Fabric SDK so as to obtain data storage hash values, and finally, corresponding data is queried in an IPFS according to the data storage hash values and returned to the client; for inquiring the field identified as sensitive data, firstly, obtaining a ciphertext 1 encrypted by a data providing organization symmetric key through interaction with a chain code after obtaining a transaction hash, then, the Web Server initiates a transaction proposal again according to a data object requested by a user to obtain a ciphertext 2 encrypted by the data providing organization symmetric key to a data inquiring organization public key, secondly, the Web Server decrypts the ciphertext 2 by using a data inquiring organization private key to obtain the data providing organization symmetric key, and finally, the symmetric key decrypts the ciphertext 1 to obtain the storage hash, inquires out real data block information from an IPFS and returns.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545224.2A CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545224.2A CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671580A CN112671580A (en) | 2021-04-16 |
| CN112671580B true CN112671580B (en) | 2023-11-24 |
Family
ID=75409605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011545224.2A Active CN112671580B (en) | 2020-12-23 | 2020-12-23 | QAR data management method based on blockchain technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671580B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556049B (en) * | 2020-04-26 | 2021-12-10 | 苏州鸿链信息科技有限公司 | Block chain privacy protection method based on group isolation of consensus nodes |
| CN113259340B (en) * | 2021-05-10 | 2023-02-24 | 中国联合网络通信集团有限公司 | Block chain data processing method and device and electronic equipment |
| CN113572618B (en) * | 2021-08-10 | 2022-11-18 | 东北大学 | Fabric and IPFS combined decentralized storage system and data storage method thereof |
| CN114430350B (en) * | 2022-04-01 | 2022-06-24 | 南京智人云信息技术有限公司 | Network security communication system based on block chain intelligent contract |
| CN114844652B (en) * | 2022-06-07 | 2024-05-03 | 北京信洋睿连科技有限公司 | Cloud authentication service system based on block chain and big data mining method |
| CN115277059B (en) * | 2022-06-10 | 2023-05-12 | 广州大学 | Control method for aircraft archive authority management based on blockchain |
| CN115640597B (en) * | 2022-09-09 | 2023-07-21 | 南京审计大学 | Audit data validity verification method for block chain low storage overhead |
| CN116432207B (en) * | 2023-06-07 | 2023-09-22 | 国网福建省电力有限公司 | Power data authority hierarchical management method based on blockchain |
| CN117372019B (en) * | 2023-12-01 | 2024-03-12 | 青岛民航凯亚***集成有限公司 | Civil aviation airport settlement system and method based on blockchain platform alliance chain |
| CN117390659B (en) * | 2023-12-13 | 2024-04-02 | 江苏量界数据科技有限公司 | Authority control method based on distributed data calculation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110012015A (en) * | 2019-04-09 | 2019-07-12 | 中国科学院沈阳计算技术研究所有限公司 | A kind of internet of things data sharing method and system based on block chain |
| CN110233868A (en) * | 2019-04-20 | 2019-09-13 | 北京工业大学 | A kind of edge calculations data safety and method for secret protection based on Fabric |
| CN111539750A (en) * | 2020-04-27 | 2020-08-14 | 中山大学 | Commodity traceability system based on block chain and big data technology |
-
2020
- 2020-12-23 CN CN202011545224.2A patent/CN112671580B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110012015A (en) * | 2019-04-09 | 2019-07-12 | 中国科学院沈阳计算技术研究所有限公司 | A kind of internet of things data sharing method and system based on block chain |
| CN110233868A (en) * | 2019-04-20 | 2019-09-13 | 北京工业大学 | A kind of edge calculations data safety and method for secret protection based on Fabric |
| CN111539750A (en) * | 2020-04-27 | 2020-08-14 | 中山大学 | Commodity traceability system based on block chain and big data technology |
Non-Patent Citations (1)
| Title |
|---|
| 基于区块链的物联网管理***设计与实现;张弘;《中国优秀硕士学位论文全文数据库》;20190915;第I136-222页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671580A (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112671580B (en) | QAR data management method based on blockchain technology | |
| US11811722B2 (en) | Method for processing cloud service in cloud system, apparatus, and device | |
| CN108270780B (en) | Multi-center digital identity management method in heterogeneous network environment | |
| CN110351381B (en) | Block chain-based Internet of things trusted distributed data sharing method | |
| WO2020143470A1 (en) | Method for issuing digital certificate, digital certificate issuing center, and medium | |
| CN110543525B (en) | Block chain network control method, device, equipment and storage medium | |
| US9059856B2 (en) | Providing security services on the cloud | |
| CN110769035B (en) | Block chain asset issuing method, platform, service node and storage medium | |
| CN103327084B (en) | The cloud storage system of a kind of public and private mixed distribution formula and cloud storage method | |
| CN112417037A (en) | Block chain construction method for distributed identity authentication in industrial field | |
| CN103795692A (en) | Open authorization method, open authorization system and authentication and authorization server | |
| CN103563294A (en) | Authentication and authorization methods for cloud computing platform security | |
| CN102986190A (en) | Resource access management | |
| CN102377788A (en) | Single sign-on (SSO) system and single sign-on (SSO) method | |
| CN103581143A (en) | User authority authentication method, system, client side and server side | |
| KR20150137518A (en) | Hybride Cloud-Based ICT Service System and Method thereof | |
| CN103535007A (en) | Managed authentication on a distributed network | |
| CN102474412A (en) | Digital rights management (DRM) method and equipment in small and medium enterprise (SME) and method for providing DRM service | |
| CN102714653B (en) | For the system and method for accessing private digital content | |
| CN113900727A (en) | Docking system for dynamic configuration of application program and dynamic configuration system | |
| WO2023221719A1 (en) | Data processing method and apparatus, computer device, and readable storage medium | |
| JP2012181662A (en) | Account information cooperation system | |
| CN103533094A (en) | Identification code all-in-one machine and identification code system | |
| CN107547570B (en) | Data security service platform and data security transmission method | |
| CN109753824B (en) | Distributed electronic signature method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |