CN114239043A

CN114239043A - Shared encryption storage system constructed based on block chain technology

Info

Publication number: CN114239043A
Application number: CN202111211290.0A
Authority: CN
Inventors: 王远东; 田桂申; 宋猛; 白雪娇; 曹阳; 屈春一; 范秉旭; 粘中元; 张慧奔; 王冲
Original assignee: China Times Economic Publishing House Co ltd; State Grid Inner Mongolia East Electric Power Co ltd Comprehensive Service Branch; Information and Telecommunication Branch of State Grid East Inner Mogolia Electric Power Co Ltd; State Grid Eastern Inner Mongolia Power Co Ltd
Current assignee: China Times Economic Publishing House Co ltd; State Grid Inner Mongolia East Electric Power Co ltd Comprehensive Service Branch; Information and Telecommunication Branch of State Grid East Inner Mogolia Electric Power Co Ltd; State Grid Eastern Inner Mongolia Power Co Ltd
Priority date: 2021-10-18
Filing date: 2021-10-18
Publication date: 2022-03-25

Abstract

The invention provides a shared encryption storage system constructed based on a block chain technology, which comprises the following components: a master node and a consensus node; the main node is used for realizing the management of users, the management of private data and services and the maintenance of data access information based on each logic layer deployed on the node; the shared encrypted storage system is based on the block chain technology, guarantees the authenticity and contract execution force of data, achieves decentralization and achieves safe data management of data sharing.

Description

Shared encryption storage system constructed based on block chain technology

Technical Field

The invention relates to the technical field of data security, in particular to a shared encryption storage system constructed based on a block chain technology.

Background

In the operation process of the management information system, a large amount of data is generated, the data relates to a plurality of subsystems associated with the management information system, the data is subjected to system management, and even when the data is shared externally, the legality of data sharing is solved, for example, the data in enterprise audit may relate to department special conditions, and the problem of how to share the data when facing uncertain risks or regulations; the security and rights of data are solved: when the data is used by a target user, risks of being copied, stored and tampered exist, and the data cannot be guaranteed. If data is not shared, each user or service system can form an information isolated island, and extra workload can be brought to the management information system.

The data management modes of managing information systems generally include a data hosting mode and a data aggregation mode. In the hosting mode, data are hosted to a central database of a specific business system, and the central database is used for unified management and operation and maintenance. In the aggregation mode, data of different service systems are connected through an API (application program interface), a data transfer system and a data owner interact, and a query result is returned.

However, the disadvantage in the managed mode is that the security of the data is not high, and the rights of use of the user are all dependent on the integrity of the managed system. And the data of different business systems seems to be managed independently in the aggregation mode, but the final data aggregation has complete capability and also has an opportunity to retain the data of each business system. This risk exists despite the data owner's authority to set data not to be persisted.

Disclosure of Invention

In order to solve the problems in the prior art, the invention provides a shared encryption storage system constructed based on a block chain technology, which comprises a main node and a consensus node;

the main node is used for realizing the management of users, the management of private data and services and the maintenance of data access information based on each logic layer deployed on the main node;

the consensus node is used for carrying out safety management on users accessing the consensus node, initiating a private data access request and providing private data service according to the private data access request based on each logic layer deployed on the consensus node;

the host node packages private data into signed transaction information by calling a storage access interface and sends the signed transaction information to the consensus node; the consensus nodes package the private data into a transaction block in a predefined period, forward the transaction block in a block chain, achieve consistency among all the consensus nodes based on a consensus algorithm, and write the consensus nodes into local database mirror images of all the consensus nodes to achieve global data consistency;

the user of each service system inquires and obtains the unprocessed transaction information of the current service system from the private data database through the consensus node; the consensus node filters the confirmed transaction block message forwarded to the current service system, extracts the transaction block message matched with the address of the current service system, and sends the matched transaction block message to the service system; the service system uses the main node public key to verify the signature of the transaction block message, decrypts the session key through the private key of the current service system, and then decrypts the transaction block message to obtain private data.

Preferably, each logic layer deployed on the master node and the consensus node includes: the system comprises an infrastructure layer, a contract layer, an operation and maintenance layer, a performance layer and an application layer;

the infrastructure layer is used for packaging all infrastructures supporting intelligent contract implementation;

the contract layer is used for encapsulating static contract data;

the operation and maintenance layer is used for packaging dynamic operation on static contract data in the contract layer;

the presentation layer is used for encapsulating protocols and voting mechanisms;

the application layer is used for encapsulating each scene and application in the service flow.

Preferably, the infrastructure layer comprises: a distributed ledger, development environment and a predictive machine;

the distributed account book is used for recording all data processing process data on the shared encrypted storage system;

the development environment comprises a starting node realized based on computer codes, a contract deployment and a contract calling;

and the predicting machine carries out security management on the data source of the encryption storage system based on the security rule of the block chain.

Preferably, the user comprises: data owner, data user.

Preferably, the initiating the private data access request comprises:

when a data user needs to use project information of a certain participated service, searching whether a corresponding index exists on a block chain or not;

if so, the data user initiates a data request to the data owner based on the block chain; otherwise, the data consumer initiates a data request based on the block chain.

Preferably, the index comprises: primary key, public key information, private key, and signature.

Preferably, the providing the private data service according to the private data access request includes:

and after the data owner extracts the public key information and confirms that the data user is in a legal role, the data meeting the standard requirement is encrypted by using the public key and signed by using a private key to generate an encrypted data packet, and the encrypted data packet is sent based on the block chain.

Preferably, said confirming that the data consumer is in a legitimate role comprises: the confirmed data user is a legal user.

Preferably, the managing the user includes: and auditing the roles and attributes of the users who join the block chain.

Preferably, the maintaining data access information includes:

auditing the data information in the block chain, sending a data certificate and storing the data certificate;

establishing index information for the data information in the block chain and storing the index information;

private data access requests initiated by data users and private data services provided by data owners are stored.

Compared with the prior art, the invention has the beneficial effects that:

1. the shared encryption storage system constructed by the invention is based on the block chain technology, thereby ensuring the authenticity of data and contract execution power, realizing decentralization and realizing the data management method of data sharing;

2. the shared encrypted storage system constructed by the invention is applied to a business system, so that the effective management of enterprise private data is realized, the private data is safely shared by a business subsystem, the process is public and transparent, the integrity of the data is ensured by the whole process, and the authority and the traceability can be ensured;

3. the technical scheme provided by the invention has the advantages that the judgment on the legal role comprises data flow validity verification and data use permission verification, and the double verification ensures the data use safety and conforms to the stricter safety limit of the service on the data.

Drawings

FIG. 1 is a block chain technology-based architecture of a shared encrypted storage system according to the present invention;

FIG. 2 is a diagram of an intelligent contract model architecture of the present invention;

FIG. 3 is a flow chart of a data management implementation of the present invention;

FIG. 4 is a diagram of data indexing information provided by the present invention;

fig. 5 shows the operation of the system of the present invention.

Detailed Description

The invention utilizes the decentralized data management mode provided by the block chain to establish a plurality of business systems of the management information system and the alliance chain of external users, establishes an intelligent contract on the block chain through a predetermined identification mechanism, automatically identifies the reasonability of the audit behavior of the users in the whole audit process, generates and chains blocks through the common identification of a plurality of main bodies on the alliance chain, applies and processes data of each user to form data blocks, and performs automatic authentication, wherein each data block contains a batch of network interaction information, thus being capable of preventing private data from being falsified or forged and realizing that the access records of the private data can trace and verify the validity of the information.

Because of the characteristics of distrust removal, decentralization, collective maintenance and reliable database based on the block chain technology, all related business system users are involved in the whole process of data management in constructing a shared encryption storage system and applying the shared encryption storage system to the data management of a management information system, so that the working process is in a transparent and supervised state, and all operations can not be falsified.

For a better understanding of the present invention, reference is made to the following description taken in conjunction with the accompanying drawings and examples.

Example 1:

the invention provides a block chain technology-based shared encrypted storage system, which adopts the block chain technology, as shown in figure 1, the block chain technology is composed of a plurality of nodes, the nodes are used for connecting a plurality of service systems, and the main functions comprise receiving the information of the service systems; finishing the generation and submission of a block chain of self-owned data information; and the safety of the communication process is ensured. The method comprises a main node and a consensus node.

1) Common area on chain: the main service system is used as a public area, the connection between the personnel is realized by organizing a user authority system, and the management of the original members and the newly added members is realized by an authentication mechanism. The method comprises the steps of (adopting a multi-ticket passing principle, for example, adding a member to a chain, requiring the confirmation of the personnel on the existing chain, and after most of the members are confirmed, representing a legal added member, and similarly, other members operate, such as delete, and change the authority) realizing the recording of the data change process by maintaining a common record block chain, and establishing a data specification, a use rule and data tracing. The main node is assumed by the main node, and the main node is elected by members on the chain or directly designated.

2) Member region on chain: each member will keep a backup of the public recording block chain, supervise the correctness of the block chain data record in the main service process, and simultaneously maintain the private data used for sharing by the member, which is realized by each consensus node.

The host node packages private data into signed transaction information by calling a storage access interface and sends the signed transaction information to the consensus node; the consensus nodes package the private data into a transaction block in a predefined period, forward the transaction block in a block chain, achieve consistency among all the consensus nodes based on a consensus algorithm, and write the transaction block into a local database mirror image of each consensus node to ensure the global consistency of the database;

each service system inquires and acquires the unprocessed transaction information of the current service system from the private data database through the consensus node; the consensus node can also filter the confirmed transaction block message forwarded to the current service system, extract the message matched with the address of the service system and send the message to the service system; the service system verifies the signature of the message using the master node public key, decrypts the session key with the current service system private key, and then decrypts the message to obtain private data.

Optionally, when initiating the consistency authentication, taking any node of the multiple common nodes as an authentication initiating node, where the node first obtains hash information of new transaction data;

and determining whether each block contains the ciphertext information corresponding to the hash information from the block chain. Each block in the block chain comprises a transaction message and block metadata; the transaction message comprises ciphertext information corresponding to each new transaction data; the block metadata comprises a block metadata hash value of a preamble block of the block; and if the ciphertext information corresponding to the hash information exists in the block chain, confirming that the new transaction data passes the consistency authentication.

The hash information of the new transaction data acquired by the authentication initiation node may be directly provided by a user of the service system, or may be calculated and acquired according to the new transaction data provided by the user. And the authentication initiating node traverses the hash information corresponding to the ciphertext information contained in each block in the block chain, acquires the hash value and then compares the hash value with the hash information of the received new transaction data. More preferably, the authentication initiating node stores index information of hash information corresponding to ciphertext information in each block of the block chain in advance, and the authentication initiating node queries whether hash information corresponding to ciphertext information at a specific position of the block chain is consistent with hash information of new transaction data provided by a user through the index information. Then, determining ciphertext information of the new transaction data corresponding to the index information from the block chain; calculating hash information of the new transaction data according to the ciphertext information of the new transaction data; and when the hash information of the new transaction data is consistent with the hash information of the new transaction data, determining that ciphertext information corresponding to the hash information exists in the block chain.

Example 2:

each node on the block chain adopts an intelligent contract scheme, and is realized by using an intelligent contract model shown in fig. 2, and the method specifically comprises the following steps:

infrastructure layer: all infrastructures supporting intelligent contract implementation are packaged, including distributed accounts, development environments, language prediction machines and the like.

Distributed account book: the execution and interaction of the intelligent contract need to be realized by technologies such as a consensus algorithm, a communication network and the like, and the final execution result is recorded into a distributed ledger maintained by all nodes. In the invention, the data content of the encryption storage system is shared by using the distributed account book records.

And (3) developing environment: the intelligent contract can be regarded as a computer program running on a block chain, and as the computer program, development, deployment and debugging relate to a development environment.

Prediction machine: to ensure the security of the blockchain network, the intelligent contract is generally operated in an isolated sandbox execution environment, and the prediction machine may provide a trusted sandbox external data source for outside contract query or triggering contract execution. Meanwhile, in order to keep the contract execution results of the distributed nodes consistent, the intelligent contract also realizes randomness by inquiring the prediction machine. In the invention, the prediction machine is a data source for ensuring a credible encryption storage system.

And (3) contract layer: static contract data is packaged, including contract terms agreed by contract parties, auditing methods, coded context-response rules, contract and external interaction criteria specified by a contract creator, contract-to-contract interaction criteria and the like. The contract layer can be regarded as a static database of the intelligent contract and encapsulates all intelligent contract invoking, executing and communication rules.

Operation and maintenance layer: a series of dynamic operations on static contract data in the contract layer are packaged, including mechanism design, form verification, security check and the like. The application of the intelligent contract usually concerns the interests of every department of an enterprise, the malicious, wrong and leaked intelligent contract brings huge loss, and the operation and maintenance layer is the key for ensuring that the intelligent contract can be operated correctly, safely and efficiently according to the will of a designer.

A presentation layer: encapsulating the intelligent agent in a form embodied in the application of the invention. Including Decentralized application (DApp), Decentralized organization (DAO); the decentralized application is based on the EtherFang, a defined transaction protocol, a contract or set of contracts executed according to conditions set on the blockchain. Decentralized organization is a node-based voting mechanism used in the present invention.

An application layer: the intelligent contract is packaged in the application scene of the invention, and the encryption storage system is shared.

When the service system R_uTo a consensus node R_vWhen requesting to share private data, the consensus node R_vFirst, the R of the service system is verified_uIdentity, with R_uAfter consensus is achieved, the node R is agreed_vSetting access limit, then intelligent contract according to common node R_vThe provided private key decrypts the data, outputs a corresponding result according to the constraint, and outputs the data to the R_uPreviously, use R_uThe provided public key encrypts the data, R_uAnd then the decryption is carried out through a local private key. The method comprises the following specific steps:

first of all R_uTo R_vA private data access request Rqt is issued.

R_vReceive data (Rqt | Lisc)_Ru‖T)，Lisc_RuIs R_uT is a timestamp;

node R_vVerification of R_uIf the identity is legal, the system is set to R_uThe access limit Rsc of (1), and when the access is authorized, the access limit is set to the private key PK corresponding to the accessed block_bvSending to a common node set RTY_vAt this time R_uReceiving data:

E_PKRTYe(Rsc‖PK_bv‖T‖Lisc_Rv)

Lisc_Rvis R_vIdentity license of (E)_PKRTYvTo utilize a common node set RTY_eThe provided private key of (a).

At a common node set RTY_eAfter verifying the above information, the intelligent contract is executed, the code in the block chain is locked according to the access limit set by the node, and the shared private data is decrypted according to the provided symmetric key, and the user can use the shared private dataPublic key PK of service system_RuAnd carrying out asymmetric encryption on the shared data and outputting a result.

If the service system R_uAnd a consensus node R_vIn the same gateway coverage area, the gateway directly sends the data to the service system R_u(ii) a Otherwise, the common node currently executing the intelligent contract sends the encryption result to the R_uThe neighboring gateway of (2) is specifically expressed as follows:

RTY_j＝E_PKRTYj+1(temp‖T‖Lisc_RTYj)

wherein:

temp＝E_PKRu(Data‖Lisc_Rv‖Lisc_RTYj‖T)

data is private Data to be shared.

4) Service system R_uAnd after receiving the data, decrypting the data through the private key of the user, and accessing the shared data.

Example 3:

the users in the invention have 3 roles, the data users and the data service parties are other business systems, and the data owners are main business systems.

1) Data owner: and the data of each business system is used for tracking the use process of the data as required by maintaining private data for sharing and providing external data query service.

2) The data user: the business system initiates data usage requirements and obtains marked data usage rights.

3) The data service side: meanwhile, the owner and the user are served, the circulation order is maintained and the relevant conditions are recorded by recording the data circulation process.

As shown in fig. 3, another aspect of the present invention provides a data management implementation method, including:

the first step is as follows: the service system carries out system implementation and deployment and publishes a public key, a data access rule, access content, an access mode and a standard format of data sharing of the system.

The second step is that: and the user of the related service system joins the block chain and passes the audit.

The third step: and sending the data certificate to a business system.

The fourth step: and submitting data index information. Fig. 4 shows an example diagram of data index information.

The fifth step: and verifying all received index information, summarizing verified records, and adding the summarized records into the block to form a block chain.

Example 4:

based on this, the operation process of the shared encrypted storage system of the invention is as follows:

1. when a data user needs to use project information of a certain participating service, whether a corresponding index exists on a block chain is searched first, and real data content is not acquired. If the index exists, all information of the index is obtained, including information description, key information (public key and private key), signature and the like. The encryption algorithm adopted by the private key comprises the following steps: DES, 3DES, TDEA, Blowfish, RC2, RC4, RC5, IDEA, PKIPJACK, AES, etc.; the encryption algorithm adopted by the public key comprises the following steps: RSA, Elgamal, knapsack Algorithm, Rabin, D-H, ECC, etc.;

2. the data user initiates a data request through the service main system, the data request comprises a HASH value of a data service main keyword generated by a HASH algorithm, key information, request requirements and the like, if a corresponding index exists, the data request is sent to a department needing to provide data, and if the corresponding index does not exist, the data user initiates a request to wait for the data owner user to complete the service and then responds to the request.

3. After the data owner user extracts the public key information and confirms that the data user is a legal role (the legal role includes that the confirmed data user is a legal user), the data meeting the standard requirement is encrypted by using the public key and signed by using a private key to generate an encrypted data packet, and the encrypted data packet is sent to the service main system.

4. The service main system uses the private key to decrypt the record and check whether the record is the requested HASH value after the public key is extracted and the validity is verified, and if the record is the requested HASH value, the data is used to form a transaction record. The process is shown in fig. 5. In fig. 5, Block1 represents a distributed Block; header indicates a main key information index, Body indicates information content, and Signature is a Signature and indicates personal information. The data user appoints users for the data service and comprises the following steps: determining project information according to the primary key words of the data service, extracting related users from a pre-stored user information list participating in the data service in the service, determining whether the data requester belongs to the related users, and if so, considering that the data user designates the user for the data service. The role verification of the invention comprises double verification of data flow validity verification and data use permission verification, and the data use safety is ensured on the basis of ensuring the safety of the audit flow.

In the invention, after public key encryption and private key signature, an encrypted data packet is generated.

Example 5:

the shared encrypted storage system of the present invention further includes a data supervision process. The supervision content comprises the normalization and the quality of data provided by a data owner user, whether a service system is used maliciously or not and whether the risk of data leakage exists or not in the process. The preferred procedure is as follows:

the data owner first interacts with the master node and obtains global authentication parameters. The data owner then generates a finite field and a distribution function F. Then, the data owner initializes the hierarchical structure of the business system users and allocates two-dimensional tensor (A) to each business system user_i，B_i). And finally, calculating a connection matrix in the global authentication parameters by the data owner through the operation of the distribution function F on the tensor. Tensor B per service system user_iThe product of the corresponding public tensor is its corresponding encryption key

If the two business systems do not have a hierarchical relationship, the tensor product associated with the two is zero. If the user has the hierarchical relationship, the encryption key of the user of the next-level service system can be calculated and obtained through the tensor of the user of the previous-level service system.

The connection matrix is obtained by the following process:

data owner as business systemSystem user V_iRandomly selecting tensor A_i＝(a_i，1，a_i，2) And B_i＝(b_i，1，b_i，2). All tensors A_iMapping to a new tensor W by a distribution function F_i。

Data owner will B_iConversion to an n-dimensional tensor F_i。γ_i，1＝b_i，1、γ_i，2＝b_i，iAnd gamma for j ≠ 1, i_i，j0; obtaining a set gamma of n-dimensional tensors₁＝(γ_1,1,γ_1,2,0,…,0)；Γ₂＝(γ_2,1,γ_2,2,0,…,0)；Γ_n＝(γ_n,1,0,…,0,γ_n,n)；

Computing matrices

Judging tensor gamma₁,Γ₂…Γ_nWhether or not it is relevant. If so, reselect B₁,B₂…B_n. Otherwise, an encryption key is selected for each class and a connection matrix A is calculated. I.e. for each service system user V_iThe data owner randomly selects its own encryption key

Definition of

And Φ ═ Φ₁，…，Φ_n]^TIf the gamma is equal to phi, then the gamma is multiplied by A;

solving the equation set in the step to obtain A ═ Γ^-1×Φ；

Data owner will ((A) through secure channel_i，B_i)，

) V sent to service system user_iAnd sends F and a to the master node.

The method of the invention can produce the following beneficial effects:

1) all the information on the index chain contains a specific service system key, and the original text cannot be derived, so that the risk of leakage is avoided.

2) Data request and response between the operating system and the data owner are realized, no third party participates, and no leakage risk exists in the process.

3) The data packet can be decrypted only by the private key of the service system, and the risk of third party disclosure is avoided.

4) The final use result of the data is generated into a transaction chain of a business system, so that the trace marking is realized and the traceability is realized.

It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The present invention is not limited to the above embodiments, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present invention are included in the scope of the claims of the present invention which are filed as the application.

Claims

1. A shared encryption storage system constructed based on a block chain technology is characterized by comprising a main node and a consensus node;

2. The system of claim 1, wherein the respective logical layers deployed on the master node and the consensus node comprise: the system comprises an infrastructure layer, a contract layer, an operation and maintenance layer, a performance layer and an application layer;

the contract layer is used for encapsulating static contract data;

3. The system of claim 2, wherein the infrastructure layer comprises: a distributed ledger, development environment and a predictive machine;

4. The system of claim 1, wherein the user comprises: data owner, data user.

5. The system of claim 4, wherein the initiating the private data access request comprises:

6. The system of claim 5, wherein the index comprises: primary key, public key information, private key, and signature.

7. The system of claim 4, wherein the providing private data services according to private data access requests comprises:

8. The system of claim 7, wherein confirming that the data consumer is a legitimate role comprises: the confirmed data user is a legal user.

9. The system of claim 4, wherein said managing the user comprises: and auditing the roles and attributes of the users who join the block chain.

10. The system of claim 4, wherein the maintaining data access information comprises: