CN113572759B - Data management method and device, electronic equipment and storage medium - Google Patents

Data management method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113572759B
CN113572759B CN202110825503.2A CN202110825503A CN113572759B CN 113572759 B CN113572759 B CN 113572759B CN 202110825503 A CN202110825503 A CN 202110825503A CN 113572759 B CN113572759 B CN 113572759B
Authority
CN
China
Prior art keywords
data
node
authorization token
source node
target node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110825503.2A
Other languages
Chinese (zh)
Other versions
CN113572759A (en
Inventor
王学强
李艺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huakong Tsingjiao Information Technology Beijing Co Ltd
Original Assignee
Huakong Tsingjiao Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huakong Tsingjiao Information Technology Beijing Co Ltd filed Critical Huakong Tsingjiao Information Technology Beijing Co Ltd
Priority to CN202110825503.2A priority Critical patent/CN113572759B/en
Publication of CN113572759A publication Critical patent/CN113572759A/en
Application granted granted Critical
Publication of CN113572759B publication Critical patent/CN113572759B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data management method, a data management device, electronic equipment and a storage medium, which are used for solving the problem of lower security in a secure multiparty computing scene. The method is applied to the electronic equipment in the multiparty safety computing system, the electronic equipment is used for managing metadata in the multiparty safety computing system, and the data management method comprises the following steps: receiving a data request sent by a source node, wherein the data request comprises: a source node identifier and a data identifier; judging whether an authorization token corresponding to the source node identification is stored in an access control list of the electronic equipment, wherein the authorization token is used for authorizing the source node to access a target node corresponding to the data identification; if yes, sending an authorization token to the source node so that the source node forwards the authorization token to the target node, or sending the authorization token to the target node so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier.

Description

Data management method and device, electronic equipment and storage medium
Technical Field
The present application relates to the technical field of multiparty secure computing and data management, and in particular, to a data management method, apparatus, electronic device, and storage medium.
Background
Multiparty Secure computing (MPC), also known as Secure Multiparty Computing (SMC), the study of MPC is mainly directed to the problem of how to securely compute a commitment function without a trusted third party.
In a multiparty secure computing system, there is a need for a data management method that can manage the data of each party while ensuring the security of the data.
Disclosure of Invention
An object of the embodiments of the present application is to provide a data management method, apparatus, electronic device, and storage medium, for improving the problem of low security in a secure multiparty computing scenario.
The embodiment of the application provides a data management method, which is applied to electronic equipment in a multiparty secure computing system, wherein the electronic equipment is used for managing metadata in the multiparty secure computing system, and the metadata comprises: meta-information of intermediate result data and meta-information of plaintext data registered by a data node in a multiparty secure computing system; a data management method comprising: receiving a data request sent by a source node, wherein the data request comprises: a source node identifier and a data identifier; judging whether an authorization token corresponding to the source node identification is stored in an access control list of the electronic equipment, wherein the authorization token is used for authorizing the source node to access a target node corresponding to the data identification; if yes, sending an authorization token to the source node so that the source node forwards the authorization token to the target node, or sending the authorization token to the target node so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier. In the implementation process, the electronic equipment is arranged in the multiparty secure computing (MPC) system, metadata of various plaintext and ciphertext data in the MPC system are managed in a unified mode, the electronic equipment uses an access control list to store an authorization token of a source node for accessing a target node, the target node can be accessed only after the source node takes the authorization token, and the method for providing data by different source nodes and different target nodes is different, so that the security in a secure multiparty computing scene is effectively improved.
Optionally, in the embodiment of the present application, after determining whether to store the authorization token corresponding to the source node identifier in the access control list of the electronic device, the method further includes: if the authorization token corresponding to the source node identifier is not stored in the access control list, generating an authorization request according to the source node identifier and the data identifier, and sending the authorization request to the target node so that the target node returns the authorization token corresponding to the authorization request; and receiving the authorization token sent by the target node, and storing the authorization token into an access control list. In the implementation process, when the authorization token corresponding to the source node identifier is not stored in the access control list, an authorization request is generated according to the source node identifier and the data identifier, and the authorization request is sent to the target node, so that the problem of authentication failure caused by directly providing metadata information of data when the source node does not have the authorization request is avoided, and the security of the data in a secure multiparty computing scene is effectively increased.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; sending an authorization token to a target node so that the target node passes verification of the authorization token and allows a source node to acquire ciphertext data corresponding to a data identifier, comprising: searching an Internet Protocol (IP) address and a port number of the source node according to the source node identification; and sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token. In the implementation process, the authorization token is sent to the target node, and after the target node is verified, the ciphertext data is sent to the source node, so that the problem of authentication failure caused by the fact that the source node directly provides metadata information of the data without an authorization request is avoided, and the safety of the data in a safe multiparty computing scene is effectively improved.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; transmitting the authorization token to the source node to cause the source node to forward the authorization token to the target node, comprising: searching an Internet Protocol (IP) address and a port number of the target node according to the data identification; and sending an authorization token, a data identifier and an IP address and a port number of the target node to the source node, so that the source node sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identifier is used for sending ciphertext data corresponding to the data identifier to the source node after the target node passes the check of the authorization token. In the implementation process, the authorization token is sent to the source node, then the source node sends the authorization token to the target node for verification, and ciphertext data is acquired from the target node after the verification is passed, so that the problem of exposing an IP address and a Port number (Port) is avoided, the problem of authentication failure caused by the fact that the source node directly provides metadata information of data without authorization request is avoided, and the security of the data in a secure multiparty computing scene is effectively improved.
Optionally, in an embodiment of the present application, the source node is a ciphertext computing node, and the target node is a data node; sending an authorization token to a target node so that the target node passes verification of the authorization token and allows a source node to acquire ciphertext data corresponding to a data identifier, comprising: searching an Internet Protocol (IP) address and a port number of the source node according to the source node identification; and sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token. In the implementation process, the authorization token is sent to the target node, after the target node is verified, the ciphertext data is sent to the source node, so that the problem that the IP address and the Port number (Port) are exposed by the target node is avoided, and the safety of the data in a safe multiparty computing scene is effectively improved.
Optionally, in the embodiment of the present application, the source node is a data node, and the target node is a cache node of the intermediate result data; transmitting the authorization token to the source node to cause the source node to forward the authorization token to the target node, comprising: searching an Internet Protocol (IP) address and a port number of the target node according to the data identification; and sending an authorization token, a data identifier and an IP address and a port number of the target node to the source node, so that the source node sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identifier is used for allowing the source node to acquire ciphertext data corresponding to the data identifier after the target node passes the check of the authorization token. In the implementation process, the authorization token is sent to the source node, then the source node sends the authorization token to the target node for verification, and ciphertext data is acquired from the target node after the verification is passed, so that the problem of exposing the IP address and the Port number (Port) is avoided, the problem of exposing the IP address and the Port number (Port) of the source node is avoided, and the safety of the data in a safe multiparty computing scene is effectively improved.
Optionally, in the embodiment of the present application, the electronic device communicates with the data node through a long connection manner. In the implementation process, as the node of the data owner in the multiparty secure computing (MPC) system adopts the design of prohibiting exposure of the IP address and the Port number (Port), compared with the traditional method of directly adopting exposure of the IP address and the Port number to provide data service, the method effectively reduces the exposure probability of the node on the wide area network and improves the security in the secure multiparty computing scene.
The embodiment of the application also provides a data management device, which is applied to the electronic equipment in the multiparty security computing system, wherein the electronic equipment is used for managing metadata in the multiparty security computing system, and the metadata comprises: meta-information of intermediate result data and meta-information of plaintext data registered by a data node in a multiparty secure computing system; a data management apparatus comprising: the data request receiving module is configured to receive a data request sent by a source node, where the data request includes: a source node identifier and a data identifier; the authorization token judging module is used for judging whether an authorization token corresponding to the source node identifier is stored in an access control list of the electronic equipment, and the authorization token is used for authorizing the source node to access the target node corresponding to the data identifier; and the authorization token sending module is used for sending the authorization token to the source node if the authorization token corresponding to the source node identifier is stored in the access control list of the electronic equipment, so that the source node forwards the authorization token to the target node, or sending the authorization token to the target node, so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier.
Optionally, in an embodiment of the present application, the data management apparatus further includes: the request generation and transmission module is used for generating an authorization request according to the source node identification and the data identification if the authorization token corresponding to the source node identification is not stored in the access control list, and transmitting the authorization request to the target node so that the target node returns the authorization token corresponding to the authorization request; and the authorization token receiving module is used for receiving the authorization token sent by the target node and storing the authorization token into the access control list.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; an authorization token sending module, comprising: the first information searching module is used for searching the Internet Protocol (IP) address and the port number of the source node according to the source node identification; the first information sending module is used for sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; an authorization token sending module, comprising: the second information searching module is used for searching the Internet Protocol (IP) address and the port number of the target node according to the data identification; the second information sending module is used for sending the authorization token, the data identification and the IP address and the port number of the target node to the source node, so that the source node sends the authorization token and the data identification to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identification is used for sending ciphertext data corresponding to the data identification to the source node after the target node passes through the check of the authorization token.
Optionally, in an embodiment of the present application, the source node is a ciphertext computing node, and the target node is a data node; an authorization token sending module, comprising: the third information searching module is used for searching the Internet Protocol (IP) address and the port number of the source node according to the source node identification; and the third information sending module is used for sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token.
Optionally, in the embodiment of the present application, the source node is a data node, and the target node is a cache node of the intermediate result data; an authorization token sending module, comprising: the fourth information searching module is used for searching the Internet Protocol (IP) address and the port number of the target node according to the data identification; and the fourth information sending module is used for sending an authorization token, a data identifier and an IP address and a port number of the target node to the source node so that the source node can send the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identifier is used for allowing the source node to acquire ciphertext data corresponding to the data identifier after the target node passes the check of the authorization token.
Optionally, in the embodiment of the present application, the electronic device communicates with the data node through a long connection manner.
The embodiment of the application also provides electronic equipment, which comprises: a processor and a memory storing machine-readable instructions executable by the processor to perform the method as described above when executed by the processor.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a data management method according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating interaction between an electronic device and a source node and a target node according to an embodiment of the present disclosure;
Fig. 3 illustrates a timing diagram of various implementations of step S130 provided in the embodiment of the present application;
fig. 4 is a schematic structural diagram of a data management device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
In an MPC system supporting explicit cryptograph hybrid operation, a computing node may need to be able to know node information and cache data meta information stored in the cache data in order to acquire the cache data for subsequent computation during execution of a computing task. The cache data (hereinafter referred to as intermediate result data, i.e. ciphertext data) needs to be transferred between all kinds of participating computing nodes, and a global metadata registry service is needed for all computing participants to perform operations such as metadata registration, query and the like. In addition, the data node (i.e. the data owner) needs to register its own plaintext data meta-information into the MPC system, so that the user can select the plaintext data meta-information to be used when creating a computing task, and read the data corresponding to the plaintext data meta-information specified by loading when executing the task.
The data management method and the device of the embodiment of the invention provide a scheme capable of uniformly managing metadata information and intermediate result data of the data nodes according to the requirements. The invention maintains a global metadata registry of the MPC system through a data management server, thereby facilitating the real storage position information of index data. The data maintained in the data management server comprises two types, one type is the meta-information of the plaintext data and the meta-information of the calculation result data, and the other type is the meta-information of the intermediate result data. Specific data management schemes are described below.
Before describing the data management method provided in the embodiments of the present application, some concepts related in the embodiments of the present application are described first:
the access control list (Access Control List, ACL) refers to an access control list composed of a series of access control rules, each of which is a statement of permission, denial or annotation, stating the corresponding matching conditions and behavior.
The ciphertext computing node, which is also called ciphertext computing engine, refers to ciphertext data computing service or computing equipment executing ciphertext data computing tasks, and can also serve as a caching node for intermediate result data.
A data node, a data owner, also referred to as a plaintext data end, is a computing device that processes various data transactions of a client of the data owner, where the data owner owns plaintext of data, where the data transactions include: registration of nodes, receipt of notifications, execution of tasks, and so forth.
It should be noted that, the data management method provided in the embodiment of the present application may be applied to an electronic device in a multiparty secure computing system, that is, the data management method may be executed by the electronic device, where the electronic device is used to manage metadata in the multiparty secure computing system, where the metadata includes, but is not limited to: meta-information of intermediate result data and meta-information of plaintext data in the MPC system are registered by the data node. Thus, the electronic device may also be referred to as a data management server, which is a global registration server of metadata, mainly maintaining a registry and lifecycle management of metadata, storing service node list information, and so on. The electronic device mentioned above refers to a device terminal or a server having a function of executing a computer program, the server refers to a device that provides a computing service through a network, and the server is, for example: an x86 server and a non-x 86 server, the non-x 86 server comprising: mainframe, minicomputer, and UNIX servers.
Lifecycle management of metadata as described above is for example: metadata registration, metadata retrieval, metadata deletion, metadata synchronization, metadata storage node retrieval, and the like; metadata in the embodiments of the present application are, for example: data name, unique uniform resource locator (Uniform Resource Locator, URL) of the data, data owner, data type, data shape, data column name, storage format, number of data fragments, support task type, access control list, etc. The lifecycle management of the metadata includes: metadata lifecycle management of plaintext data and metadata lifecycle management of ciphertext data; the metadata may be used to support functions such as indicating storage locations, history data, resource lookups, file records, and the like.
The metadata described above is data information describing data attributes registered by the data owner in the multiparty secure computing system, where the metadata is, for example: data name, unique URL of data, data owner, data type, data shape, data column name, storage format, number of data fragments, support task type, access control list, etc.; the metadata may be used to implement functions that indicate storage locations, historical data, resource lookups, and file records.
Application scenarios to which the data management method is applicable are described below, where the application scenarios include, but are not limited to: the data management method is used for providing data management service for the multiparty secure computing system, reducing the probability of being attacked by a third party, improving the security of data under the multiparty secure computing system and the like. In the application scenario of the multiparty secure computing system, since plaintext data (of the data owner) involved in computation originates from different participating institutions, and ciphertext computing nodes compute based on ciphertext data when computing the data, the data owner needs to send the plaintext data to the ciphertext computing nodes to participate in computation after changing the plaintext data into ciphertext data. In order to ensure the security of the data, the plaintext data cannot be directly exchanged between different participating institutions, but the participating institutions need to know that other participating institutions open the plaintext data, so that the electronic device provides meta-information (i.e. descriptive information) authentication service and query service for the plaintext data. After the source node of each organization obtains the data identifier to be accessed through the query service, the source node can apply for the authorization token according to the data identifier and the source node identifier, and after the authorization token is obtained, the ciphertext data corresponding to the data identifier can be obtained by using the data management method of the application.
If a multi-party secure computing system splits a computing task with a very large computing power into multiple sub-computing tasks, intermediate result data that depends on the computation of the context task may be generated between different sub-computing tasks, and these intermediate result data are stored in the form of ciphertext data, and are therefore also referred to as intermediate temporary ciphertext data. In order to enable the context task to acquire the intermediate temporary ciphertext data, metadata (such as a storage node identifier and a data identifier where the fragments are located) of the intermediate temporary ciphertext data need to be registered in the electronic device in advance, and then the context task (or an authorized computing node) can acquire ciphertext data corresponding to the data identifier by using the data management method of the application.
The node for caching the intermediate result data is called a caching node of the intermediate result data, and is communicated with the electronic equipment in a conventional IP address and port mode, and meta-information of the intermediate result data is registered in the electronic equipment. The data node communicates with the electronic device in a long connection of the TCP protocol. After the metadata is registered in the electronic device, ciphertext data corresponding to the data identifier can be obtained by using the data management method.
Please refer to fig. 1, which is a flowchart illustrating a data management method according to an embodiment of the present application; the main idea of the data management method is that the electronic equipment is arranged in a multiparty secure computing (MPC) system, metadata of various plaintext and ciphertext data in the MPC system are managed in a unified mode, the electronic equipment uses an access control list to store an authorization token of a source node for accessing a target node, the target node can be accessed only after the source node takes the authorization token, and the method for providing data by different source nodes and different target nodes is different, so that the security in a secure multiparty computing scene is effectively improved. The data management method may include:
step S110: the electronic device receives a data request sent by a source node, wherein the data request comprises: source node identification and data identification.
Before the electronic device receives the data request sent by the source node, the source node can also send a query request of the data identifier to the electronic device, so that the electronic device returns the data identifier corresponding to the query request in the process of providing the data query service for the source node.
The embodiment of step S110 described above is, for example: under the application scenario of multiparty security calculation, assuming that a source node needs to acquire ciphertext data on a target node, the source node may first send a data request to an electronic device, where the data request includes: source node identification and data identification, where the source node identification may be an internet protocol (Internet Protocol, IP) address of the source node. The electronic device then receives the data request sent by the source node via a transmission control protocol (Transmission Control Protocol, TCP) or a user datagram protocol (User Datagram Protocol, UDP), and after receiving the data request sent by the source node, the above-mentioned source node identification and data Identification (ID), which is also referred to herein as a unique URL of the data, may be parsed from the data request.
After step S110, step S120 is performed: and judging whether an authorization token corresponding to the source node identification is stored in an access control list of the electronic equipment.
An authorization token (token), which refers to a data credential used to authorize a source node to access a data identification corresponding to a target node, may be generated using an auth2.0 protocol during specific practices.
Please refer to an interaction schematic diagram of the electronic device provided in the embodiment of the present application with the source node and the target node shown in fig. 2; the embodiment of step S120 described above is, for example: the electronic device may execute a program written in a preset programming language, and determine whether to store the authorization token corresponding to the source node identifier in the access control list according to the program.
After step S120, step S130 is performed: if the authorization token corresponding to the active node identifier is stored in the access control list of the electronic device, the electronic device sends the authorization token to the source node so that the source node forwards the authorization token to the target node, or sends the authorization token to the target node so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier.
Please refer to the timing diagram of various implementations of step S130 shown in fig. 3; the above embodiment of step S130 is different according to the data storage and calculation manners of the source node and the target node, and thus, there are various embodiments of step S130, including but not limited to:
in a first embodiment, the ciphertext computing node acts as a source node to request ciphertext data on a target node, that is, the source node is the ciphertext computing node and the target node is a data node; this embodiment may include:
step S131: the electronic device searches the Internet Protocol (IP) address and port number of the source node according to the source node identification.
Step S132: the electronic device sends the authorization token, the data identification, the IP address of the source node and the port number to the target node.
The embodiments of the above steps S131 to S132 are, for example: because the correspondence between all source node identifiers and the source node information is stored on the electronic device, the electronic device can find the source node information according to the source node identifiers, where the source node information includes, but is not limited to: identification information of the source node, internet protocol IP address and port number, etc. After the electronic device finds the internet protocol IP address and port number of the source node, it may send the authorization token, the data identification, the IP address and port number of the source node to the target node.
Step S133: the target node receives the authorization token, the data identifier, the IP address and the port number of the source node, which are sent by the electronic equipment, and verifies the received authorization token.
Step S134: after passing the authorization token verification, the target node sends ciphertext data corresponding to the data identification to the source node according to the IP address and the port number of the source node.
The embodiments of the above steps S133 to S134 are, for example: after receiving the authorization token, the data identifier, the IP address of the source node and the port number sent by the electronic device, the target node can verify the received authorization token, and determine whether the received authorization token passes the verification. If so, ciphertext data corresponding to the data identification can be sent to the source node according to the IP address and the port number of the source node. If not, the incorrect promotion information of the authorization token is sent to the source node.
In a second embodiment, the data node serves as a source node to request ciphertext data on the target node, that is, the source node may be a data node and the target node may be a cache node of intermediate result data; this embodiment may include:
step S135: and the electronic equipment searches the Internet Protocol (IP) address and the port number of the target node according to the data identification.
Step S136: the electronic device sends the authorization token, the data identification, the IP address of the target node, and the port number to the source node.
It should be understood that, since metadata refers to description information of data, the above data identifier, the IP address and the port number of the target node can be understood as metadata, that is, the unique identifier describing the target data, and the stored connection mode information of the target node are all metadata.
The embodiments of the above steps S135 to S136 are, for example: because the correspondence between all the data identifiers and the target node information stored in the data corresponding to the data identifiers is stored in the electronic device, the electronic device can find the target node information according to the data identifiers, where the target node information includes but is not limited to: identification information of the target node, all data identities deposited, internet protocol IP address and port number, etc. After the electronic device finds the internet protocol IP address and port number of the target node, it may send the authorization token, the data identifier, the IP address and port number of the target node to the source node.
Step S137: the source node sends an authorization token and a data identifier to the target node according to the IP address and the port number of the target node.
Step S138: the target node receives the authorization token and the data identifier sent by the source node, verifies the authorization token, and allows the source node to acquire ciphertext data corresponding to the data identifier after the authorization token passes verification.
The embodiment of step S137 to step S138 described above is, for example: the source node receives the authorization token, the data identifier and the IP address and the port number of the target node, which are sent by the electronic equipment, and sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node. The target node receives the authorization token and the data identifier sent by the source node, verifies the authorization token, and judges whether the received authorization token passes the verification. If yes, the source node is allowed to acquire ciphertext data corresponding to the data identifier. If not, the source node is refused to acquire ciphertext data corresponding to the data identifier, specifically for example: the target node may send the source node with the promotion information that the authorization token is incorrect.
Step S139: the source node obtains ciphertext data corresponding to the data identifier from the target node.
The ciphertext data acquisition method of step S139 may include: in the first acquisition mode, the target node actively pushes ciphertext data corresponding to the data identifier to the source node; in the second acquisition mode, the target node sends a message allowing ciphertext data to be acquired to the source node, and after receiving the message allowing ciphertext data to be acquired sent by the target node, the source node establishes a data channel and acquires ciphertext data corresponding to the data identifier from the data channel.
In a third embodiment, the ciphertext computing node acts as a source node to request ciphertext data on a target node, that is, the source node is the ciphertext computing node and the target node is a cache node of intermediate result data; this embodiment includes two cases:
the first case, which is similar to the first embodiment above, may include the electronic device sending the authorization token to the target node, and after the target node verifies, sending ciphertext data to the source node: the electronic equipment searches the IP address and port number of the source node according to the source node identification, and sends an authorization token, a data identification, the IP address and port number of the source node to the target node. The target node receives the authorization token, the data identifier, the IP address and the port number of the source node, which are sent by the electronic equipment, and verifies the received authorization token. The target node judges whether the verification of the authorization token is passed or not; if the authorization token passes the verification, ciphertext data corresponding to the data identification is sent to the source node according to the IP address and the port number of the source node; if the authorization token is not checked, a message that the authorization token is incorrect can be sent to the source node, or the source node can be directly refused to access the ciphertext data corresponding to the data identifier after the authorization token is not checked for a plurality of times.
A second case, similar to the second embodiment above, where an authorization token is sent to a source node, then the source node sends the authorization token to a target node for verification, and after the verification is passed, ciphertext data is obtained from the target node, may include: the electronic equipment searches the Internet Protocol (IP) address and port number of the target node according to the data identifier, and sends an authorization token, the data identifier, the IP address and port number of the target node to the source node. The source node receives the authorization token, the data identifier and the IP address and the port number of the target node, which are sent by the electronic equipment, and sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node. The target node receives the authorization token and the data identifier sent by the source node, checks the authorization token, and judges whether the authorization token passes the check or not; if the authorization token passes the verification, ciphertext data corresponding to the data identification is sent to the source node according to the IP address and the port number of the source node; if the authorization token is not checked, a message that the authorization token is incorrect can be sent to the source node, or the source node can be directly refused to access the ciphertext data corresponding to the data identifier after the authorization token is not checked for a plurality of times.
In the implementation process, the electronic equipment is arranged in the multiparty secure computing (MPC) system, metadata of various plaintext and ciphertext data in the MPC system are managed in a unified mode, the electronic equipment uses an access control list to store an authorization token of a source node for accessing a target node, the target node can be accessed only after the source node takes the authorization token, and the method for providing data by different source nodes and different target nodes is different, so that the security in a secure multiparty computing scene is effectively improved.
It should be noted that, the electronic device and the data node may communicate through a long connection manner of a transmission control protocol (Transmission Control Protocol, TCP), specifically for example: the method comprises the steps that a data node of a data holder actively requests to establish long connection with electronic equipment when being started, node identification information is sent to the electronic equipment at regular time, and the validity of the long connection is checked at regular time; if the long connection is invalid, the long connection is reestablished. The electronic device needs to maintain a long connection list of a plurality of data nodes, and maintains a message queue for each data node, and when a message needs to be sent through the long connection, the message queue is adopted to send the message to the corresponding data node.
In the implementation process, as the node of the data owner in the multiparty secure computing (MPC) system adopts the design of prohibiting exposure of the IP address and the Port number (Port), compared with the traditional method of directly adopting exposure of the IP address and the Port number to provide data service, the method effectively reduces the exposure probability of the node on the wide area network and improves the security in the secure multiparty computing scene.
Optionally, if the authorization token is not stored in the access control list, the authorization token needs to be acquired first, and the process of acquiring the authorization token may include:
after step S120, step S140 is performed: if the authorization token corresponding to the source node identification is not stored in the access control list, an authorization request is generated according to the source node identification and the data identification, and the authorization request is sent to the target node, so that the target node returns the authorization token corresponding to the authorization request.
After step S140, step S150 is performed: the electronic device receives the authorization token sent by the target node and stores the authorization token in the access control list.
The embodiments of the above steps S140 to S150 are, for example: if the electronic equipment does not store the authorization token corresponding to the source node identifier in the access control list, the electronic equipment generates an authorization request according to the source node identifier and the data identifier and sends the authorization request to the target node. The target node receives an authorization request sent by the electronic equipment, analyzes a source node identifier and a data identifier from the authorization request, and then generates an authorization token corresponding to the authorization request according to the source node identifier and the data identifier by adopting an auth2.0 protocol. And finally, the target node sends an authorization token corresponding to the authorization request to the electronic equipment. The electronic device receives the authorization token sent by the target node and stores the authorization token in the access control list.
In the implementation process, the electronic equipment is arranged in the multiparty secure computing (MPC) system, metadata of various plaintext and ciphertext data in the MPC system are managed in a unified mode, the electronic equipment uses an access control list to store an authorization token of a source node for accessing a target node, the target node can be accessed only after the source node takes the authorization token, and the method for providing data by different source nodes and different target nodes is different, so that the security in a secure multiparty computing scene is effectively improved. Further, under the condition that the authorization token corresponding to the active node identifier is already stored in the access control list, the source node is authorized to acquire ciphertext data corresponding to the data identifier from the target node, so that an attacker can only acquire ciphertext data even if the attacker takes the authorization token, the difficulty that ciphertext data in a secure multiparty computing scene is cracked by the attacker is further increased, and the security in the secure multiparty computing scene is improved.
Please refer to fig. 4, which illustrates a schematic structure of a data management apparatus according to an embodiment of the present application. The embodiment of the application provides a data management device 200, which is applied to an electronic device in a multiparty secure computing system, wherein the electronic device is used for managing metadata in the multiparty secure computing system, and the metadata comprises: meta-information of intermediate result data and meta-information of plaintext data registered by a data node in a multiparty secure computing system; a data management apparatus comprising:
The data request receiving module 210 is configured to receive a data request sent by a source node, where the data request includes: source node identification and data identification.
The authorization token judging module 220 is configured to judge whether to store an authorization token corresponding to the source node identifier in an access control list of the electronic device, where the authorization token is used to authorize the source node to access the target node corresponding to the data identifier.
The authorization token sending module 230 is configured to send an authorization token to the source node if the authorization token corresponding to the source node identifier is stored in the access control list of the electronic device, so that the source node forwards the authorization token to the target node, or send the authorization token to the target node, so that the target node passes the verification of the authorization token and allows the source node to obtain ciphertext data corresponding to the data identifier.
Optionally, in an embodiment of the present application, the data management apparatus further includes:
the request generation and transmission module is used for generating an authorization request according to the source node identification and the data identification if the authorization token corresponding to the source node identification is not stored in the access control list, and transmitting the authorization request to the target node so that the target node returns the authorization token corresponding to the authorization request.
And the authorization token receiving module is used for receiving the authorization token sent by the target node and storing the authorization token into the access control list.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; the authorization token sending module may include:
the first information searching module is used for searching the Internet Protocol (IP) address and the port number of the source node according to the source node identification;
the first information sending module is used for sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token.
Optionally, in the embodiment of the present application, the source node is a ciphertext computing node, and the target node is a cache node of the intermediate result data; the authorization token sending module may further include:
and the second information searching module is used for searching the Internet Protocol (IP) address and the port number of the target node according to the data identification.
The second information sending module is used for sending the authorization token, the data identification and the IP address and the port number of the target node to the source node, so that the source node sends the authorization token and the data identification to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identification is used for sending ciphertext data corresponding to the data identification to the source node after the target node passes through the check of the authorization token.
Optionally, in an embodiment of the present application, the source node is a ciphertext computing node, and the target node is a data node; an authorization token sending module, comprising:
and the third information searching module is used for searching the Internet Protocol (IP) address and the port number of the source node according to the source node identification.
And the third information sending module is used for sending the authorization token, the data identifier and the IP address and the port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and the port number of the source node after passing through the verification of the authorization token.
Optionally, in the embodiment of the present application, the source node is a data node, and the target node is a cache node of the intermediate result data; an authorization token sending module, comprising:
and the fourth information searching module is used for searching the Internet Protocol (IP) address and the port number of the target node according to the data identification.
And the fourth information sending module is used for sending an authorization token, a data identifier and an IP address and a port number of the target node to the source node so that the source node can send the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identifier is used for allowing the source node to acquire ciphertext data corresponding to the data identifier after the target node passes the check of the authorization token.
Optionally, in the embodiment of the present application, the electronic device and the data node may communicate through a long connection manner.
It should be understood that, corresponding to the above-mentioned data management method embodiment, the apparatus is capable of executing the steps involved in the above-mentioned method embodiment, and specific functions of the apparatus may be referred to the above description, and detailed descriptions are omitted herein as appropriate to avoid redundancy. The device includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device.
An electronic device provided in an embodiment of the present application includes: a processor and a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the method as above.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as above.
The computer readable storage medium may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
In addition, the functional modules of the embodiments in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The foregoing description is merely an optional implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art may easily think about changes or substitutions within the technical scope of the embodiments of the present application, and the changes or substitutions should be covered in the scope of the embodiments of the present application.

Claims (10)

1. A data management method, applied to an electronic device in a multiparty secure computing system, the multiparty secure computing system supporting a plaintext and ciphertext hybrid operation, the electronic device being configured to manage metadata in the multiparty secure computing system, the metadata comprising: meta-information of intermediate result data and meta-information of plaintext data registered by a data node in the multiparty secure computing system; the data management method comprises the following steps:
receiving a data request sent by a source node, wherein the data request comprises: a source node identifier and a data identifier;
Judging whether an authorization token corresponding to the source node identifier is stored in an access control list of the electronic equipment, wherein the authorization token is used for authorizing the source node to access a target node corresponding to the data identifier;
if yes, the authorization token is sent to the source node, so that the source node forwards the authorization token to the target node, or the authorization token is sent to the target node, so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier;
the sending the authorization token to the source node, so that the source node forwards the authorization token to the target node, includes:
if the source node is a data node, the authorization token is sent to the source node so that the source node forwards the authorization token to the target node;
and if the target node is a data node, sending the authorization token to the target node so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier.
2. The method of claim 1, further comprising, after said determining whether to store the authorization token corresponding to the source node identification in an access control list of the electronic device:
If the authorization token corresponding to the source node identifier is not stored in the access control list, generating an authorization request according to the source node identifier and the data identifier, and sending the authorization request to the target node so that the target node returns the authorization token corresponding to the authorization request;
and receiving the authorization token sent by the target node, and storing the authorization token into the access control list.
3. The method of claim 1, wherein the source node is a ciphertext calculation node and the target node is a cache node of the intermediate result data; the sending the authorization token to the target node, so that the target node passes the verification of the authorization token and allows the source node to obtain ciphertext data corresponding to the data identifier, including:
searching an Internet Protocol (IP) address and a port number of the source node according to the source node identification;
and sending the authorization token, the data identifier and the IP address and port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and port number of the source node after passing through the verification of the authorization token.
4. The method of claim 1, wherein the source node is a ciphertext calculation node and the target node is a cache node of the intermediate result data; the sending the authorization token to the source node, so that the source node forwards the authorization token to the target node, includes:
searching the Internet Protocol (IP) address and the port number of the target node according to the data identifier;
and sending the authorization token, the data identifier and the IP address and the port number of the target node to the source node, so that the source node sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, the authorization token is used for being checked by the target node, and the data identifier is used for sending ciphertext data corresponding to the data identifier to the source node after the target node passes the check of the authorization token.
5. The method of claim 1, wherein the source node is a ciphertext computing node and the target node is a data node; the sending the authorization token to the target node, so that the target node passes the verification of the authorization token and allows the source node to obtain ciphertext data corresponding to the data identifier, including:
Searching an Internet Protocol (IP) address and a port number of the source node according to the source node identification;
and sending the authorization token, the data identifier and the IP address and port number of the source node to the target node, so that the target node sends ciphertext data corresponding to the data identifier to the source node according to the IP address and port number of the source node after passing through the verification of the authorization token.
6. The method of claim 1, wherein the source node is a data node and the target node is a cache node of the intermediate result data; the sending the authorization token to the source node, so that the source node forwards the authorization token to the target node, includes:
searching the Internet Protocol (IP) address and the port number of the target node according to the data identifier;
and sending the authorization token, the data identifier and the IP address and the port number of the target node to the source node so that the source node sends the authorization token and the data identifier to the target node according to the IP address and the port number of the target node, wherein the authorization token is used for being checked by the target node, and the data identifier is used for allowing the source node to acquire ciphertext data corresponding to the data identifier after the target node passes the check of the authorization token.
7. The method according to claim 5 or 6, wherein the electronic device communicates with the data node via a long connection.
8. A data management apparatus, applied to an electronic device in a multi-party secure computing system, the multi-party secure computing system supporting a plaintext-ciphertext hybrid operation, the electronic device configured to manage metadata in the multi-party secure computing system, the metadata comprising: meta-information of intermediate result data and meta-information of plaintext data registered by a data node in the multiparty secure computing system; the data management apparatus includes:
the data request receiving module is configured to receive a data request sent by a source node, where the data request includes: a source node identifier and a data identifier;
the authorization token judging module is used for judging whether an authorization token corresponding to the source node identifier is stored in an access control list of the electronic equipment, and the authorization token is used for authorizing the source node to access a target node corresponding to the data identifier;
an authorization token sending module, configured to send, if an authorization token corresponding to the source node identifier is stored in an access control list of the electronic device, the authorization token to the source node, so that the source node forwards the authorization token to the target node, or send the authorization token to the target node, so that the target node passes the verification of the authorization token and allows the source node to obtain ciphertext data corresponding to the data identifier;
The authorization token sending module is specifically configured to: if the authorization token corresponding to the source node identifier is stored in the access control list of the electronic equipment and the source node is a data node, the authorization token is sent to the source node so that the source node forwards the authorization token to the target node; and if the authorization token corresponding to the source node identifier is stored in the access control list of the electronic equipment, and if the target node is a data node, the authorization token is sent to the target node, so that the target node passes the verification of the authorization token and allows the source node to acquire ciphertext data corresponding to the data identifier.
9. An electronic device, comprising: a processor and a memory storing machine-readable instructions executable by the processor to perform the method of any one of claims 1 to 7 when executed by the processor.
10. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the method according to any of claims 1 to 7.
CN202110825503.2A 2021-07-21 2021-07-21 Data management method and device, electronic equipment and storage medium Active CN113572759B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110825503.2A CN113572759B (en) 2021-07-21 2021-07-21 Data management method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110825503.2A CN113572759B (en) 2021-07-21 2021-07-21 Data management method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113572759A CN113572759A (en) 2021-10-29
CN113572759B true CN113572759B (en) 2023-05-23

Family

ID=78165973

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110825503.2A Active CN113572759B (en) 2021-07-21 2021-07-21 Data management method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113572759B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885763A (en) * 2006-07-06 2006-12-27 华为技术有限公司 Method for preventing IP address leakage
CN106101617A (en) * 2016-06-08 2016-11-09 浙江宇视科技有限公司 A kind of message transmitting method, Apparatus and system
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN107689987A (en) * 2017-08-11 2018-02-13 东软集团股份有限公司 Virtual network service process for exposing and device
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway
CN112671720A (en) * 2020-12-10 2021-04-16 苏州浪潮智能科技有限公司 Token construction method, device and equipment for cloud platform resource access control

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8973118B2 (en) * 2011-12-14 2015-03-03 Cellco Partnership Token based security protocol for managing access to web services
US9680833B2 (en) * 2015-06-25 2017-06-13 Imperva, Inc. Detection of compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations
KR102117584B1 (en) * 2016-01-29 2020-06-26 구글 엘엘씨 Local device authentication
CN106302546B (en) * 2016-10-18 2019-09-13 青岛海信电器股份有限公司 The method and apparatus for realizing server access
CN108683747B (en) * 2018-06-11 2020-11-27 华为技术有限公司 Resource obtaining, distributing and downloading method, device, equipment and storage medium
CN108810006B (en) * 2018-06-25 2021-08-10 百度在线网络技术(北京)有限公司 Resource access method, device, equipment and storage medium
CN110809011B (en) * 2020-01-08 2020-06-19 医渡云(北京)技术有限公司 Access control method and system, and storage medium
CN111371881A (en) * 2020-02-28 2020-07-03 北京字节跳动网络技术有限公司 Service calling method and device
CN111865980B (en) * 2020-07-20 2022-08-12 北京百度网讯科技有限公司 Information processing method and device of information storage center
CN111880919B (en) * 2020-07-29 2024-04-02 平安国际融资租赁有限公司 Data scheduling method, system and computer equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1885763A (en) * 2006-07-06 2006-12-27 华为技术有限公司 Method for preventing IP address leakage
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN106101617A (en) * 2016-06-08 2016-11-09 浙江宇视科技有限公司 A kind of message transmitting method, Apparatus and system
CN107689987A (en) * 2017-08-11 2018-02-13 东软集团股份有限公司 Virtual network service process for exposing and device
CN110266764A (en) * 2019-05-21 2019-09-20 深圳壹账通智能科技有限公司 Internal services call method, device and terminal device based on gateway
CN112671720A (en) * 2020-12-10 2021-04-16 苏州浪潮智能科技有限公司 Token construction method, device and equipment for cloud platform resource access control

Also Published As

Publication number Publication date
CN113572759A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
US10819503B2 (en) Strengthening non-repudiation of blockchain transactions
US11128477B2 (en) Electronic certification system
US6754829B1 (en) Certificate-based authentication system for heterogeneous environments
US10868802B2 (en) Enabling setting up a secure peer-to-peer connection
US8336087B2 (en) Robust digest authentication method
CN112261172B (en) Service addressing access method, device, system, equipment and medium
US10476733B2 (en) Single sign-on system and single sign-on method
EP3226506A1 (en) Authorization processing method, device and system
CN112202705A (en) Digital signature verification generation and verification method and system
WO2019134234A1 (en) Rooting-prevention log-in method, device, terminal apparatus, and storage medium
WO2019001082A1 (en) Authentication method and device for video stream address
CN113472790A (en) Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server
CN111585970A (en) Token verification method and device
US11153099B2 (en) Reestablishing secure communication with a server after the server's certificate is renewed with a certificate authority unknown to the client
CN111209349A (en) Method and device for updating session time
US10791119B1 (en) Methods for temporal password injection and devices thereof
CN114372254B (en) Multi-authentication authorization method under big data environment
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
CN112182009B (en) Block chain data updating method and device and readable storage medium
CN111092958B (en) Node access method, device, system and storage medium
CN116260656B (en) Main body trusted authentication method and system in zero trust network based on blockchain
CN113572759B (en) Data management method and device, electronic equipment and storage medium
GB2582180A (en) Distributed authentication
WO2020248657A1 (en) Method and apparatus for locking account in blockchain
JP2020509625A (en) Data message authentication based on random numbers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant