CN112968904A - Block chain data protection method and system - Google Patents
Block chain data protection method and system Download PDFInfo
- Publication number
- CN112968904A CN112968904A CN202110279593.XA CN202110279593A CN112968904A CN 112968904 A CN112968904 A CN 112968904A CN 202110279593 A CN202110279593 A CN 202110279593A CN 112968904 A CN112968904 A CN 112968904A
- Authority
- CN
- China
- Prior art keywords
- key
- communication
- block chain
- request
- root
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention provides a block chain data protection method and a block chain data protection system. The method comprises the following steps: the block chain node sends an encryption request or a decryption request; the root key unit updates the secondary key according to the root key according to a preset period; the secondary key unit updates the communication key according to the current secondary key and preset time; the communication key unit receives the encryption request or the decryption request, encrypts the block link points according to the current communication key and the encryption request, and decrypts the block link points according to the current communication key and the decryption request. The invention carries out encryption protection on the block chain data based on hierarchical key management, and has high safety. The key is expanded into a root key, a secondary key and a communication key, so that the safety of the system is greatly improved, the required storage space is small, and the maintenance cost is low.
Description
Technical Field
The invention relates to the field of block chains, in particular to a block chain data protection method and a block chain data protection system.
Background
In 2009, bitcoin was released, and its underlying structure blockchain has gained wide attention. In the development of many years, the blockchain technology is expanded to the outside of the financial industry from the application of digital currency to financial settlement, and covers the aspects of human social life, including various fields such as judicial affairs, medical treatment, logistics, government affairs and military affairs. The content on the blockchain also extends to multiple types of data including text data, spatio-temporal data, log data, etc. by storing only the user's money.
Due to the feature of accounting of multiple parties in the block chain, the data of the user is public, so special means is needed to ensure the data security of the user. The block chain of the virtual currency stage ensures the privacy of the user by adopting a user anonymity method, and the block chain of the alliance chain and the complex data ensures the security of the data by adopting a data encryption method on the chain. The user encrypts the data using a symmetric cryptographic algorithm before submitting the data to the uplink and decrypts the data when using the uplink data.
However, the problem with the current block chain is that the node performs encryption and decryption operations using only one key, and once the key is leaked, data on all chains is leaked. And the replacement key can only protect the data after the key is replaced, and all the data before the key is leaked cannot be protected any more, so that the key leakage causes great loss. Meanwhile, the block chain link points need to communicate with other nodes in the block chain, and are inevitably exposed in the public network, so that the block chain link points are easy to be attacked by an attacker, and the risk of key leakage is high.
Therefore, a data protection method for a block chain is needed to solve the above problems.
Disclosure of Invention
Based on the problems in the prior art, the invention provides a block chain data protection method and a block chain data protection system. The specific scheme is as follows:
a block chain data protection method is applied to a system comprising a root key unit, a secondary key unit and a communication key unit, and comprises a data protection mode:
the block chain node sends an encryption request or a decryption request;
the root key unit updates a secondary key according to the root key according to a preset period;
the secondary key unit updates the communication key according to the current secondary key and preset time;
and the communication key unit receives the encryption request or the decryption request, encrypts the block chain node according to the current communication key and the encryption request, and decrypts the block chain node according to the current communication key and the decryption request.
In a specific embodiment, the method further comprises a data recovery mode:
the block chain node sends a data recovery request containing the communication key;
the communication key unit analyzes the communication key according to the data recovery request, judges whether the communication key is correct or not, generates a first key request if the communication key is not correct, and performs decryption operation on the block chain node if the communication key is not correct;
the secondary key unit analyzes a secondary key according to the first key request, judges whether the secondary key is correct or not, generates a second key request if the secondary key is not correct, and calculates a communication key according to the secondary key and then performs decryption operation if the secondary key is correct;
and the root key unit analyzes a root key according to the second key request, judges whether the root key is correct or not, and if so, calculates a secondary key and a communication key according to the root key and then performs decryption operation.
In a specific embodiment, the "performing a decryption operation after calculating a communication key according to the secondary key" specifically includes:
the secondary key unit calculates a communication key according to the secondary key;
setting the communication key as a current communication key;
the communication key unit carries out decryption operation for the block chain nodes according to the communication key;
wherein, the "calculating a secondary key and a communication key according to the root key and then performing a decryption operation" specifically includes:
the root key unit calculates a secondary key according to the second key request;
setting the secondary key as a current secondary key;
the secondary key unit calculates a communication key according to the secondary key;
setting the communication key as a current communication key;
and the communication key unit carries out the decryption operation on the block chain node according to the communication key.
In a specific embodiment, the root key unit accesses the secondary key unit only when the secondary key is updated;
and/or the secondary key unit and the communication key unit are arranged on different servers.
In a specific embodiment, the root key unit includes a root key calculation module and a root key storage module;
the root key storage module stores all root keys and records the number of generated secondary keys;
and the root key calculation module calculates secondary keys according to the number of the secondary keys, and each secondary key corresponds to a secondary key number.
In a specific embodiment, the secondary key unit includes a secondary key calculation module and a secondary key storage module;
the secondary key storage module only stores the current secondary key and the secondary key number thereof, and records the number of communication keys generated according to the current secondary key, wherein the number of the communication keys is cleared when the current secondary key is updated;
the second-level key calculation module calculates communication keys according to the current second-level keys and the number of the communication keys, each communication key corresponds to a communication key number, and the second-level key numbers are arranged in the communication key numbers.
In a specific embodiment, the communication key unit comprises an encryption and decryption module and a communication key storage module;
the encryption and decryption module carries out encryption operation or decryption operation on the block chain node;
the communication key storage module only stores the current communication key and the communication key number thereof.
In a specific embodiment, the secondary key unit includes a plurality of key subunits, the plurality of key subunits are sequentially connected, and layer-by-layer encryption is implemented by generating subkeys.
A system for protecting data in a block chain, said system connecting block chain nodes, comprising,
a communication key unit: the system comprises a block chain node, a communication key and a decryption request, wherein the block chain node is used for receiving an encryption request or a decryption request sent by the block chain node, carrying out encryption operation on the block chain node according to a current communication key and the encryption request, and carrying out decryption operation on the block chain node according to the current communication key and the decryption request;
root key unit: the second-level key is updated according to the root key and a preset period;
a secondary key unit: and the second-level key is used for updating the communication key according to the current second-level key and preset time.
In one particular embodiment of the present invention,
the communication key unit further includes: the system comprises a block chain node, a communication key, a data recovery request and a first key request, wherein the data recovery request is used for receiving the communication key-containing data recovery request sent by the block chain node, resolving the communication key according to the data recovery request, judging whether the communication key is correct or not, if not, generating the first key request, and if yes, performing decryption operation on the block chain node;
the secondary key unit further comprises: the second key request is used for analyzing a second key according to the first key request, judging whether the second key is correct or not, if not, generating a second key request, and if yes, calculating a communication key according to the second key and then carrying out decryption operation;
the root key unit further includes: and the second key request is used for analyzing a root key according to the second key request, judging whether the root key is correct or not, and if so, calculating a secondary key and a communication key according to the root key and then carrying out decryption operation.
In one particular embodiment, the root key unit includes,
a root key storage module: the system is used for storing all the root keys and recording the number of generated secondary keys;
a root key calculation module: for calculating the secondary key according to the number of secondary keys.
In one particular embodiment, the secondary key unit includes,
a secondary key storage module: the system is used for storing the current secondary key and the serial number of the secondary key thereof and recording the number of generated communication keys;
a secondary key calculation module: for calculating the communication key according to the number of communication keys.
In one embodiment, the communication key unit includes,
an encryption and decryption module: the block chain node is used for carrying out encryption operation or decryption operation on the block chain node;
a communication key storage module: the system is used for storing the current communication key and the communication key number thereof, and the communication key number comprises the secondary key number.
Has the advantages that:
aiming at the defects of the prior art, the invention provides a block chain data protection method and a block chain data protection system, which are used for carrying out encryption protection on block chain data based on hierarchical key management and have high safety.
By providing key management and data encryption and decryption, the key is expanded into a root key, a secondary key and a communication key, and the safety is greatly improved.
By isolating the key from the block chain network, the data is guaranteed to be minimally leaked under the condition of key leakage, and the defect that data on all chains can be leaked due to key leakage in the prior art is overcome.
The key is isolated from the blockchain network, so that the possibility of network attack by hackers is reduced, and the data security is further ensured.
The historical secret key does not need to be stored, the maintenance cost of the cryptosystem can be reduced, the storage space is reduced, and the possibility of revealing all encryption and decryption secret keys at one time is avoided.
The user may select a password protection scheme based on the security level.
After the data loss of the block chain, each key unit can actively initiate a request to the key unit of the previous stage, so as to realize data recovery.
The user only needs to input the communication key used currently or historically, data recovery can be achieved, and the practicability is high.
The block chain data protection method is modularized to form a specific system, so that the system has higher practicability.
The blockchain data protection system is transparent to the blockchain frame, and only the traditional encryption service needs to be replaced without changing the blockchain frame.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a block chain diagram according to an embodiment of the present invention;
fig. 2 is a flowchart of a block chain data protection method according to embodiment 1 of the present invention;
fig. 3 is a diagram of another block chain data protection method according to embodiment 1 of the present invention;
FIG. 4 is a flowchart of a method for protecting blockchain data according to embodiment 2 of the present invention;
FIG. 5 is a flowchart of a data recovery mode according to embodiment 2 of the present invention;
fig. 6 is a schematic diagram of an application of the block chain data protection system according to embodiment 3 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a block chain data protection method and a block chain data protection system according to the characteristics of a block chain environment, and block chain data are protected by using a hierarchical key management mode.
A typical blockchain-based service system comprises three parts, namely a blockchain network, nodes and a service system, as shown in the figure 1 of the specification. The block chain network is a linked list composed of blocks and commonly maintained by a plurality of nodes. Each chunk in the linked list has a hash pointer to the previous chunk, thereby ensuring that the data on the linked list is not tampered. The blockchain node locally maintains a database, and the stored content of the database is the current state of the data on the blockchain. The blockchain system operates the database through transactions, and the uplink transactions modify the contents in the database. The data of the node local database is stored in a plaintext, but the node submits the data after encrypting the data when submitting a block chain on the data, namely, constructing a transaction. After the consensus of the transaction blockchain network, the node decrypts the transaction content and updates the local database. The service system operates the unit provided by the user and selects the data needing to be uplink stored and submits the data to the node. After the service system is damaged accidentally, the block chain can recover the data linked in the service system, i.e. the disaster recovery function of the block chain.
It should be noted that the key in the present application includes, but is not limited to, any data format capable of providing an encryption function.
Example 1
The embodiment provides a method for protecting blockchain data, which realizes protection of blockchain data by providing a multi-level key and modifying the key at regular time. The specific process is as the specification with attached figure 2, and the specific scheme is as follows:
a block chain data protection method is applied to a system comprising a root key unit, a secondary key unit and a communication key unit. The method comprises a data protection mode, and the specific steps of the data protection mode are as follows:
the block chain node sends an encryption request or a decryption request;
the root key unit updates the secondary key according to the root key according to a preset period;
the secondary key unit updates the communication key according to the current secondary key and preset time;
the communication key unit receives the encryption request or the decryption request, encrypts the block chain nodes according to the current communication key, and decrypts the block chain nodes according to the current communication key and the decryption request.
In this embodiment, the communication key unit connects the block chain nodes, the block chain nodes transmit encryption requests or decryption requests, and the communication key unit performs encryption operations or decryption operations according to the requests.
The encryption operation comprises the following steps: and the communication key unit encrypts the block chain nodes according to the encryption request, and a user needs to provide a correct communication key to extract the data in the block chain nodes. The decryption operation includes: and the communication key unit unlocks the encrypted block chain nodes according to the communication key provided by the block chain nodes.
In this embodiment, the root key unit includes a root key storage module and a root key calculation module.
The root key storage module stores all root keys including a currently used root key and a historical root key, and is provided with a secondary key counter. The secondary key counter is used for recording the number of generated secondary keys, and the secondary key counter is increased by 1 every time one secondary key is generated.
And the root key calculation module calculates the next secondary key according to the value of the secondary key counter and increases the secondary key counter by 1.
In particular, the root key unit may generate one or more secondary keys at a time, select one or more secondary keys as the current secondary keys, and send the one or more secondary keys to the secondary key unit.
The security level of the root key is the highest, the root key unit can adopt independent hardware storage or off-line machine storage, and the secondary key unit is accessed only when the secondary key is updated. The offline machine includes a server that does not access the internet or a server that does not access the blockchain network. The separate hardware storage includes, but is not limited to, hardware storage media such as a removable hard disk and the like. The root key is used as the most initial key, has the highest security level, and is stored by adopting independent hardware or an offline machine, so that a hacker can be prevented from acquiring the root key through network attack, and the block chain data is further protected. The user can update the root key through the root key unit in a preset period and also can modify the root key manually.
It should be noted that the root key may be manually set, or may be randomly generated by the root key unit.
In this embodiment, the secondary key unit includes a secondary key storage module and a secondary key calculation module, and the secondary key unit needs to be configured on an independent machine and is not on the same server as the communication key unit.
The secondary key storage module only stores the currently used secondary key and is provided with a communication key counter. The key storage module does not store the secondary key used historically, but only stores the currently used secondary key and the number of the secondary key. The communication key counter counts the communication keys generated by the current secondary key, and the communication key counter is cleared when the secondary key is updated.
And the secondary key calculation module calculates the next communication key according to the value of the communication key counter and increases the communication key counter by 1. The secondary key calculation module may generate a plurality of communication keys from one secondary key.
The secondary key unit is used as a secondary key unit, and the security is only second to the root key. The secondary key is the basis of the generation of the communication key, and the safety of the system is further improved. It should be noted that, because the number of the secondary keys is uncertain, the secondary key unit only stores the currently used secondary key, and the currently used secondary key also includes one or more secondary keys. In order to save the storage cost and further improve the security of the system, a hacker is prevented from decoding the current secondary key according to the historical secondary key, the secondary key storage module does not store the historical secondary key, and only stores the currently used secondary key and the serial number of the secondary key. The secondary key unit generates one or more communication keys based on the secondary key.
The communication key unit comprises a communication key storage module and an encryption and decryption module, and can be configured on a single machine or on the same machine with the block link nodes.
The communication key storage module stores a currently used communication key and a number of the communication key. And the key storage module does not store historical communication keys and only stores currently used communication keys and numbers thereof. The number of the communication key comprises the number of the secondary key and the serial number of the corresponding secondary key unit when the current communication key is generated.
And the encryption and decryption module acquires an input encryption request or decryption request from the block chain link point, performs encryption or decryption operation according to the parameters and returns the encryption or decryption operation to the block chain node.
In a data protection mode, i.e., in an environment where the blockchain system is operating normally, the communication key unit provides encryption and decryption operations to the blockchain nodes. The secondary key unit periodically initiates a key update request to the communication key module. The period of updating the secondary key by the root key unit is judged by the user. All key updates are unidirectional at this time, and the update request is initiated from the upper-level key unit to the lower-level key unit. The next level key unit cannot actively initiate a request to the previous level. The method realizes that only part of data is lost when one communication key is lost, and most of data is still safe.
In one particular implementation, the secondary key unit may be omitted as an intermediary. Data encryption can be realized through the root key unit and the communication key unit. The root key unit generates a communication key in a preset period according to the root key, and the communication key unit performs encryption and decryption operations according to the communication key. The embodiment is suitable for the block chain environment with low security level. The root key unit adopts a separate storage medium and accesses the communication key unit only when updating the communication key.
In one particular implementation, the secondary key unit includes a plurality of sub-units as an intermediary device. And the plurality of subunits are encrypted layer by layer through the generated keys. For example, the secondary key unit includes a first key unit, a second key unit, and a third key unit, where the first key unit generates a first key according to the current secondary key, the second key unit generates a second key according to the first key, and the third key unit generates a communication key according to the second key, as shown in fig. 3 of the specification. The embodiment is suitable for the block chain environment with high security level, and the sub-units with proper quantity can be selected for encryption according to the security level.
According to the characteristics of the blockchain environment, the embodiment provides a blockchain data protection method, which provides key management and data encryption and decryption, expands keys into a root key, a secondary key and a communication key, wherein the secondary key is generated according to the root key, and the communication key is generated according to the secondary key. The root key has the highest level of security and can be isolated using separate hardware or stored on a separate machine, isolated from the internet, and only accessed when in use as a secondary key unit. The secondary key is used for generating a communication key at regular time, is stored on a machine different from the machine for storing the communication key, is isolated from an external network, and is only communicated with the machine for encrypting and decrypting by using the communication key. The communication key may be stored on a block-linked node machine or other machine connected to the node machine, and the key management system provides the encryption and decryption unit to the node based on the communication key.
The embodiment isolates the key from the block chain network, ensures the minimum leakage of data under the condition of key leakage, and solves the defect that the data on all chains can be leaked due to key leakage in the prior art. And the secret key is isolated from the block chain network, so that the possibility of network attack by hackers is reduced, and the data security is further ensured. The historical secret key does not need to be stored, the maintenance cost of the cryptosystem can be reduced, the storage space is reduced, and the possibility of revealing all encryption and decryption secret keys at one time is avoided. In addition, the user can select an appropriate password protection scheme according to the security level of the blockchain data.
Example 2
In this embodiment, a data recovery mode is added on the basis of the block chain data protection method in embodiment 1, so that the functionality of the method is further expanded. The flow steps of the data recovery mode are as shown in the attached figure 4 of the specification, and the specific scheme is as follows:
and (3) data recovery mode:
the block chain nodes send data recovery requests containing communication keys;
the communication key unit analyzes a communication key according to the data recovery request, judges whether the communication key is correct or not, generates a first key request if the communication key is not correct, and performs decryption operation on the block chain nodes if the communication key is not correct;
the secondary key unit analyzes a secondary key according to the first key request, judges whether the secondary key is correct or not, generates a second key request if the secondary key is not correct, and performs a first decryption operation on the block chain nodes if the secondary key is not correct;
the root key unit performs a second decryption operation on the block link points according to the second key request key.
The flow chart of the data recovery mode is shown in figure 5 of the specification.
The communication key unit receives a data recovery request of the blockchain node. The data recovery request is only for the data recovery mode, and the data recovery request contains a communication key. The communication key unit analyzes the communication key of the data recovery request and judges whether the communication key is correct, namely whether the communication key is the current communication key. If the judgment result is yes, the communication key is correct, the communication key unit carries out decryption operation on the block chain link points, acquires data stored in the decrypted block chain link points and returns the data to the block chain link points, and data recovery is achieved. If not, the communication key is incorrect, and the communication key unit generates a first key request to the secondary key unit.
And the secondary key unit receives the second key request, deduces a secondary key according to the communication key, and judges whether the secondary key is the currently used secondary key or not. If the judgment result is yes, the secondary key is correct, and the secondary key unit executes the first decryption operation. The first decryption operation is: and the second-level key unit calculates a communication key according to the second-level key, sets the communication key as the current communication key, receives a new communication key at the moment, and is the same as the communication key in the data recovery request, and then decrypts the block chain nodes by the communication key unit to obtain the data stored in the decrypted block chain nodes and returns the data to the block chain nodes to realize data recovery. If the judgment result is negative, the secondary key is incorrect, and the secondary key unit generates a second key request to the root key unit.
The root key unit receives the second key request, derives a root key according to the secondary key, and judges whether the root key is a used or in-use root key. If the judgment result is yes, the root key is correct, and the root key unit executes a second decryption operation. The second decryption operation includes: the root key unit calculates a secondary key according to the root key, and stores the secondary key as a current secondary key. And the secondary key unit receives the new secondary key consistent with the secondary key in the first key request, and then the secondary key unit executes the first decryption operation. If the structure is judged to be not correct, the root key is incorrect, the root key unit refuses to provide the key, and the data recovery fails.
Because the secondary key unit and the communication key unit only store the currently used key, when the key is lost, the root key unit can gradually derive the corresponding root key according to the key only by inputting the used communication key.
In data recovery mode, i.e. loss of blockchain data due to an unexpected occurrence, each key unit may actively initiate a request to the previous key unit. The proposed system performs data recovery offline. The communication key unit receives the decryption request, judges the key information, requests the key from the secondary key unit, judges the father key of the key, and requests the key from the root key unit. And after receiving the key request unit, the root key unit calculates a key according to the number and returns the key to the secondary key unit, the secondary key unit calculates a communication key according to the received secondary key and the key number and sends the key to the communication key unit, and the communication key unit decrypts data by using the key and finally returns the data to the block chain node. After the process is executed once, the key system returns the decrypted data to the block chain node, and the block chain node updates the local database and the service system database by using the decrypted data to recover the data. And the data recovery is completed until the data on all the blockchains are updated to the local database and the service database.
In this embodiment, on the basis of embodiment 1, a data recovery mode is added, and the functionality of the method is further expanded. After the data loss of the block chain, each key unit can actively initiate a request to the key unit of the previous stage, so as to realize data recovery. The user only needs to input the communication key used currently or historically, data recovery can be achieved, and the practicability is high.
Example 3
In this embodiment, on the basis of embodiment 2, the block chain data protection method provided in embodiment 2 is systematized to form a block chain data protection system, and a schematic diagram of each module is shown in fig. 4 in the specification. The specific scheme is as follows:
a block chain data protection system, a data protection mode and a data recovery mode.
In a data protection mode, the system includes a communication key unit, a root key unit, and a secondary key unit. The method specifically comprises the following steps:
a communication key unit: the system comprises a block chain node, a communication key and a decryption request, wherein the block chain node is used for receiving an encryption request or a decryption request sent by the block chain node, carrying out encryption operation on the block chain node according to the current communication key and carrying out decryption operation on the block chain node according to the current communication key and the decryption request;
root key unit: the second-level key is used for updating the current second-level key according to the root key and a preset period;
a secondary key unit: the device is used for updating the current communication key according to the current secondary key and preset time;
in a data recovery mode, the system includes a communication key unit, a root key unit, and a secondary key unit. The method specifically comprises the following steps:
a communication key unit: the device comprises a receiving module, a first key generation module, a second key generation module, a first key generation module and a second key generation module, wherein the receiving module is used for receiving a data recovery request containing a communication key sent by a block chain node, resolving the communication key according to the data recovery request, judging whether the communication key is correct, if not, generating a first key request, and if so, performing decryption operation on the block chain node;
a secondary key unit: the second key request is used for analyzing a second key according to the first key request, judging whether the second key is correct or not, if not, generating a second key request, and if so, performing a first decryption operation on the block chain nodes; the secondary key unit can comprise a plurality of key subunits, and the safety of the system is further improved.
Root key unit: and the second decryption module is used for analyzing a root key according to the second key request, judging whether the root key is correct or not, and if so, performing second decryption operation.
Wherein the first decryption operation comprises: the secondary key unit calculates a communication key according to the secondary key; setting the communication key as a current communication key; the communication key unit carries out decryption operation for the block chain link points according to the communication key;
wherein the second decryption operation comprises: the root key unit calculates a secondary key according to the second key request; setting the secondary key as the current secondary key; a first decryption operation is performed.
Specifically, the root key unit includes a root key storage module and a root key calculation module.
A root key storage module: the system is used for storing all the root keys and recording the number of generated secondary keys; the root key storage module stores all root keys and is provided with a secondary key counter. The secondary key counter is used for recording the number of generated secondary keys, and the counter is increased by 1 every time one secondary key is generated.
A root key calculation module: for calculating the secondary key based on the number of secondary keys. And the root key calculation module calculates the next secondary key according to the value of the secondary key counter and increases the secondary key counter by 1.
Specifically, the secondary key unit comprises a secondary key storage module and a secondary key calculation module.
A secondary key storage module: the system comprises a storage module, a first key generation module, a second key generation module, a first key generation module and a second key generation module, wherein the storage module is used for storing a currently used second key and a second key number thereof and recording the number of generated communication keys; the secondary key storage module only stores the currently used secondary key and is provided with a communication key counter. The key storage module does not store the secondary key used historically, but only stores the currently used secondary key and the number of the secondary key. The communication key counter is the number of communication keys generated by the current secondary key, and the communication key counter is cleared when the secondary key is updated.
A secondary key calculation module: for calculating the traffic key based on the number of traffic keys. And the secondary key calculation module calculates the next communication key according to the value of the communication key counter and increases the communication key counter by 1.
Specifically, the communication key unit comprises an encryption and decryption module and a communication key storage module.
An encryption and decryption module: the encryption operation or the decryption operation is carried out on the block link points;
a communication key storage module: the system is used for storing the currently used communication key and the communication key number thereof, and the communication key number comprises a secondary key number.
The blockchain data protection system provided by this embodiment is transparent to the blockchain frame, and only the conventional encryption service needs to be replaced, and no change needs to be made to the blockchain frame, and is applied to the blockchain as shown in fig. 6 in the description.
Aiming at the prior art, the invention provides a block chain data protection method and a block chain data protection system, which are used for carrying out encryption protection on block chain data based on hierarchical key management and have high safety. By providing key management and data encryption and decryption, the key is expanded into a root key, a secondary key and a communication key, and the safety is greatly improved. By isolating the key from the block chain network, the data is guaranteed to be minimally leaked under the condition of key leakage, and the defect that data on all chains can be leaked due to key leakage in the prior art is overcome. And the secret key is isolated from the block chain network, so that the possibility of network attack by hackers is reduced, and the data security is further ensured. The historical secret key does not need to be stored, the maintenance cost of the cryptosystem can be reduced, and the possibility that all encryption and decryption secret keys are leaked at one time is avoided. The user may select a password protection scheme based on the security level. After the data loss of the block chain, each key unit can actively initiate a request to the key unit of the previous stage, so as to realize data recovery. The user only needs to input the communication key used currently or historically, data recovery can be achieved, and the practicability is high. The block chain data protection method is modularized to form a specific system, so that the system has higher practicability. The blockchain data protection system is transparent to the blockchain frame, and only the traditional encryption service needs to be replaced without changing the blockchain frame.
It will be understood by those skilled in the art that the modules or steps of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and optionally they may be implemented by program code executable by a computing device, such that it may be stored in a memory device and executed by a computing device, or it may be separately fabricated into various integrated circuit modules, or it may be fabricated by fabricating a plurality of modules or steps thereof into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
The above disclosure is only a few specific implementation scenarios of the present invention, however, the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.
Claims (13)
1. A method for protecting data of a block chain is applied to a system comprising a root key unit, a secondary key unit and a communication key unit, and comprises a data protection mode:
the block chain node sends an encryption request or a decryption request;
the root key unit updates a secondary key according to the root key according to a preset period;
the secondary key unit updates the communication key according to the current secondary key and preset time;
and the communication key unit receives the encryption request or the decryption request, encrypts the block chain node according to the current communication key and the encryption request, and decrypts the block chain node according to the current communication key and the decryption request.
2. The method of claim 1, further comprising a data recovery mode:
the block chain node sends a data recovery request containing the communication key;
the communication key unit analyzes the communication key according to the data recovery request, judges whether the communication key is correct or not, generates a first key request if the communication key is not correct, and performs decryption operation on the block chain node if the communication key is not correct;
the secondary key unit analyzes a secondary key according to the first key request, judges whether the secondary key is correct or not, generates a second key request if the secondary key is not correct, and calculates a communication key according to the secondary key and then performs decryption operation if the secondary key is correct;
and the root key unit analyzes a root key according to the second key request, judges whether the root key is correct or not, and if so, calculates a secondary key and a communication key according to the root key and then performs decryption operation.
3. The method according to claim 2, wherein the "performing a decryption operation after calculating a communication key according to the secondary key" specifically includes:
the secondary key unit calculates a communication key according to the secondary key;
setting the communication key as a current communication key;
the communication key unit carries out decryption operation for the block chain nodes according to the communication key;
wherein, the "calculating a secondary key and a communication key according to the root key and then performing a decryption operation" specifically includes:
the root key unit calculates a secondary key according to the second key request;
setting the secondary key as a current secondary key;
the secondary key unit calculates a communication key according to the secondary key;
setting the communication key as a current communication key;
and the communication key unit carries out the decryption operation on the block chain node according to the communication key.
4. The method of claim 2, wherein the root key unit accesses the secondary key unit only when updating the secondary key;
and/or the secondary key unit and the communication key unit are arranged on different servers.
5. The method of claim 2, wherein the root key unit comprises a root key computation module and a root key storage module;
the root key storage module stores all root keys and records the number of generated secondary keys;
and the root key calculation module calculates secondary keys according to the number of the secondary keys, and each secondary key corresponds to a secondary key number.
6. The method of claim 5, wherein the secondary key unit comprises a secondary key calculation module and a secondary key storage module;
the secondary key storage module only stores the current secondary key and the secondary key number thereof, and records the number of communication keys generated according to the current secondary key, wherein the number of the communication keys is cleared when the current secondary key is updated;
the second-level key calculation module calculates communication keys according to the current second-level keys and the number of the communication keys, each communication key corresponds to a communication key number, and the second-level key numbers are arranged in the communication key numbers.
7. The method of claim 6, wherein the communication key unit comprises an encryption/decryption module and a communication key storage module;
the encryption and decryption module carries out encryption operation or decryption operation on the block chain node;
the communication key storage module only stores the current communication key and the communication key number thereof.
8. The method according to claim 2, wherein the secondary key unit comprises a plurality of key subunits, the plurality of key subunits are connected in sequence, and layer-by-layer encryption is achieved by generating subkeys.
9. A system for protecting data in a block chain, wherein the system connects block chain nodes, comprising,
a communication key unit: the system comprises a block chain node, a communication key and a decryption request, wherein the block chain node is used for receiving an encryption request or a decryption request sent by the block chain node, carrying out encryption operation on the block chain node according to a current communication key and the encryption request, and carrying out decryption operation on the block chain node according to the current communication key and the decryption request;
root key unit: the second-level key is updated according to the root key and a preset period;
a secondary key unit: and the second-level key is used for updating the communication key according to the current second-level key and preset time.
10. The system of claim 9,
the communication key unit further includes: the system comprises a block chain node, a communication key, a data recovery request and a first key request, wherein the data recovery request is used for receiving the communication key-containing data recovery request sent by the block chain node, resolving the communication key according to the data recovery request, judging whether the communication key is correct or not, if not, generating the first key request, and if yes, performing decryption operation on the block chain node;
the secondary key unit further comprises: the second key request is used for analyzing a second key according to the first key request, judging whether the second key is correct or not, if not, generating a second key request, and if yes, calculating a communication key according to the second key and then carrying out decryption operation;
the root key unit further includes: and the second key request is used for analyzing a root key according to the second key request, judging whether the root key is correct or not, and if so, calculating a secondary key and a communication key according to the root key and then carrying out decryption operation.
11. The system of claim 10, wherein the root key unit comprises,
a root key storage module: the system is used for storing all the root keys and recording the number of generated secondary keys;
a root key calculation module: for calculating the secondary key according to the number of secondary keys.
12. The system of claim 11, wherein the secondary key unit comprises,
a secondary key storage module: the system is used for storing the current secondary key and the serial number of the secondary key thereof and recording the number of generated communication keys;
a secondary key calculation module: for calculating the communication key according to the number of communication keys.
13. The system according to claim 12, wherein the communication key unit includes,
an encryption and decryption module: the block chain node is used for carrying out encryption operation or decryption operation on the block chain node;
a communication key storage module: the system is used for storing the current communication key and the communication key number thereof, and the communication key number comprises the secondary key number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110279593.XA CN112968904B (en) | 2021-03-16 | 2021-03-16 | Block chain data protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110279593.XA CN112968904B (en) | 2021-03-16 | 2021-03-16 | Block chain data protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112968904A true CN112968904A (en) | 2021-06-15 |
| CN112968904B CN112968904B (en) | 2022-09-06 |
Family
ID=76279279
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110279593.XA Active CN112968904B (en) | 2021-03-16 | 2021-03-16 | Block chain data protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112968904B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
| US20180145831A1 (en) * | 2016-11-21 | 2018-05-24 | Sap Se | Online change of encryption root keys in a distributed database management system |
| CN110033258A (en) * | 2018-11-12 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Business datum encryption method and device based on block chain |
| CN111010265A (en) * | 2019-12-21 | 2020-04-14 | 上海中和软件有限公司 | Block chain organization key management method based on hierarchical key and BLS digital signature |
| CN111291399A (en) * | 2020-03-05 | 2020-06-16 | 联想(北京)有限公司 | Data encryption method, system, computer system and computer readable storage medium |
| CN112272090A (en) * | 2020-10-27 | 2021-01-26 | 深圳安捷丽新技术有限公司 | Key generation method and device |
-
2021
- 2021-03-16 CN CN202110279593.XA patent/CN112968904B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
| US20180145831A1 (en) * | 2016-11-21 | 2018-05-24 | Sap Se | Online change of encryption root keys in a distributed database management system |
| CN110033258A (en) * | 2018-11-12 | 2019-07-19 | 阿里巴巴集团控股有限公司 | Business datum encryption method and device based on block chain |
| CN111010265A (en) * | 2019-12-21 | 2020-04-14 | 上海中和软件有限公司 | Block chain organization key management method based on hierarchical key and BLS digital signature |
| CN111291399A (en) * | 2020-03-05 | 2020-06-16 | 联想(北京)有限公司 | Data encryption method, system, computer system and computer readable storage medium |
| CN112272090A (en) * | 2020-10-27 | 2021-01-26 | 深圳安捷丽新技术有限公司 | Key generation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112968904B (en) | 2022-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11425108B2 (en) | Blockchain-based service data encryption methods and apparatuses | |
| CN102891876B (en) | Distributed data encryption method and system under cloud computing environment | |
| US9698974B2 (en) | Method for creating asymmetrical cryptographic key pairs | |
| CN111245597A (en) | Key management method, system and equipment | |
| US10650169B2 (en) | Secure memory systems | |
| EP3531365B1 (en) | Computer system, connection apparatus, and processing method using transaction | |
| US11588631B2 (en) | Systems and methods for blockchain-based automatic key generation | |
| JP2022531497A (en) | Transfer of digital asset ownership over a one-way connection | |
| CN112199697A (en) | Information processing method, device, equipment and medium based on shared root key | |
| Virvilis et al. | A cloud provider-agnostic secure storage protocol | |
| CN112184444A (en) | Method, apparatus, device and medium for processing information based on information characteristics | |
| CN116680241A (en) | Electronic government affair data safe sharing method based on blockchain | |
| US10929151B2 (en) | Computer-implemented method for replacing a data string by a placeholder | |
| Shivaramakrishna et al. | A novel hybrid cryptographic framework for secure data storage in cloud computing: Integrating AES-OTP and RSA with adaptive key management and Time-Limited access control | |
| CN112818404B (en) | Data access permission updating method, device, equipment and readable storage medium | |
| CN112968904B (en) | Block chain data protection method and system | |
| US11921877B2 (en) | Efficient random tokenization in the cloud | |
| Ramprasath et al. | Protected data sharing using attribute based encryption for remote data checking in cloud environment | |
| CN116155483A (en) | Block chain signing machine safety design method and signing machine | |
| CN111881474B (en) | Private key management method and device based on trusted computing environment | |
| WO2022193119A1 (en) | Blockchain data protection method and system | |
| CN113064761B (en) | Data recovery method, server, encryption device, terminal and medium | |
| JP2018098757A (en) | Communication apparatus and cryptographic processing system | |
| Gupta et al. | Hybrid Multi-User Based Cloud Data Security for Medical Decision Learning Patterns | |
| CN101470643B (en) | Fixed hardware security unit backup and recovery method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |