CN114513533A - Classified and graded fitness and health big data sharing system and method - Google Patents

Classified and graded fitness and health big data sharing system and method Download PDF

Info

Publication number
CN114513533A
CN114513533A CN202111609681.8A CN202111609681A CN114513533A CN 114513533 A CN114513533 A CN 114513533A CN 202111609681 A CN202111609681 A CN 202111609681A CN 114513533 A CN114513533 A CN 114513533A
Authority
CN
China
Prior art keywords
data
module
access control
access
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111609681.8A
Other languages
Chinese (zh)
Other versions
CN114513533B (en
Inventor
李明慧
薛静锋
王勇
刘振岩
张继
周志雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Capital University of Physical Education and Sports
Original Assignee
Beijing Institute of Technology BIT
Capital University of Physical Education and Sports
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT, Capital University of Physical Education and Sports filed Critical Beijing Institute of Technology BIT
Priority to CN202111609681.8A priority Critical patent/CN114513533B/en
Publication of CN114513533A publication Critical patent/CN114513533A/en
Application granted granted Critical
Publication of CN114513533B publication Critical patent/CN114513533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a classified grading fitness health big data sharing system and a method, wherein the system comprises a user management module, a data management module, an access control module, a data sharing module, a block chain and a distributed file system; the user management module is used for managing users; the data management module is used for encrypting by adopting different encryption grades according to the data sensitivity degree grade; the access control module manages an access strategy of personal data generated by a data owner and simultaneously realizes access control of the personal data, and the data sharing module is used for performing authority verification on the data accessor; the block link is used for storing an access control strategy and serving as an access control server; the distributed file system is used for storing encrypted personal data. The system of the invention constructs and optimizes data storage to data sharing based on the block chain, and realizes auditable access control records while ensuring classified and classified privacy protection of data.

Description

Classified and graded fitness and health big data sharing system and method
Technical Field
The invention relates to the technical field of information security, in particular to a classified and graded fitness and health big data sharing system and method.
Background
The open sharing of data in various industries promotes the construction of large data resources, but the problems of data security and privacy protection in the industry need to be concerned urgently, particularly, the fitness and health data have numerous sources, the identity of a data visitor cannot be known in advance, the data contain sensitive information such as health diseases, and the privacy of a data owner can be threatened due to data leakage. The main reasons for the leakage of fitness and health data include the following two aspects: on one hand, data are uploaded to a cloud storage center, so that a data owner loses control right on the data, and on the other hand, centralized access control of the data has the problem of opaque authority judgment, so that reliable implementation of an access control strategy cannot be guaranteed.
The blockchain has the characteristics of decentralization, information non-falsification, traceability and the like, so that the blockchain is an effective technology for solving the problems. Therefore, data security storage and access audit can be realized by combining the blockchain with cloud storage, and decentralized access control can be realized by using an intelligent contract mechanism in the blockchain.
In the aspect of data storage, the invention patent CN202011440686.8 utilizes a block chain to implement cross-department data sharing, unstructured data is stored down the HDFS chain, hash values of data contents are stored up the chain, and structured data is directly stored up the chain. The invention patent CN202010279827.6 aims at the problem of low storage performance of a single node in a block chain, and utilizes an intelligent contract to link a block chain bottom layer platform with a big data frame platform, and the block chain stores hash values of full data and data storage position information. The invention patent CN202010134988.6 combines Hadoop with block chain depth, uses distributed Namenode server as accounting node of block chain, and uses user role distributed by intelligent contract to access data in Datanode server. In the aspect of access control, the access policy of the invention patent CN202010152042.2 contains the public key of the authorized user, and the access request verifies whether the user is authorized by the intelligent contract. The invention patent CN202011505943.1 combines the ABAC model with the block chain, realizes the distributed authorization flow by using the intelligent contract, and stores the generated authorization access record on the block chain.
In the aspect of data storage, although the prior art proposes a method for storing and certifying offline storage on a chain, how to encrypt and protect the offline original data and the offline metadata is not considered, for example, the inventive patents CN202011440686.8 and CN202010279827.6 only consider the online storage of metadata, and do not consider data source identification and classification and hierarchical encryption of original data, while the inventive patent CN202010134988.6 uses a distributed nano server as a billing node of a block chain, one of the nano servers is used as a master node, and does not conform to the decentralized characteristic of the block chain, and the tight coupling relationship between the block chain and a big data platform in CN202010134988.6 is not favorable for the reconstruction of the existing big data platform by using the block chain technology. In the aspect of access control, a distributed access control scheme implemented by using a blockchain in the prior art has problems of performance, security, and the like, for example, if an authorized user is newly added by modifying an access policy in patent CN202010152042.2, this method needs to continuously modify a policy ledger, thereby increasing the burden of the blockchain, although patent CN202011505943.1 adopts a fine-grained access control policy, if a user needs blockchain authorization for accessing resources each time, the resource reading efficiency is low. In addition, the prior art only optimizes the security of part of modules in the big data sharing process, and lacks the guarantee on the aspect of the security interaction of each module.
Disclosure of Invention
In order to solve the technical problems, the invention provides a classified and graded body-building and health big data sharing system and method, which are used for fine-grained access control of body-building and health big data in a distributed environment and realizing safe and credible data sharing, and are used for solving the technical problems that in the prior art, a centralized service provider manages user data in a traditional mode, and a user loses the control right on the data and the privacy of the user cannot be guaranteed.
According to a first aspect of the invention, a classified and graded fitness health big data sharing system is provided, and the system comprises:
the system comprises the following components:
the system comprises a user management module, a data management module, an access control module, a data sharing module, a block chain and a distributed file system;
the user management module is used for managing users of the classified grading fitness and health big data sharing system, the users comprise a data owner, a service provider and a data visitor, the data owner generates personal data, the service provider collects, manages and shares the personal data, and the data visitor accesses the personal data through an access control module of a block chain;
the data management module is used for encrypting the personal data by adopting different encryption levels according to the data sensitivity level of the personal data determined by the data owner; storing the encrypted personal data in a distributed file system through a data sharing interface of a service provider;
the access control module manages the access strategy of the personal data generated by the data owner and simultaneously realizes the access control of the personal data, and the access control module comprises a strategy information point module, a strategy management point module, a strategy decision point module and a strategy execution point module; the strategy information point module is used for collecting and integrating attribute information in advance, the attribute information comprises a user attribute, a resource attribute, an environment attribute and an operation attribute of a data visitor, the resource is a collection of a plurality of personal data, and the operation is an operation for a resource request; the strategy management point module is used for generating a control strategy according to the encryption level of personal data, and the access control strategy can be adjusted and updated by a data owner calling an intelligent contract; the policy enforcement point module receives a request of a data visitor for accessing resources, extracts data visitor, user, resources, environment and operation information in the request, and sends a request to the policy decision point module, and the policy decision point module performs access control judgment based on the attribute information of the policy information point module and the access control policy of the policy management point module, and judges whether the data visitor has the right to access the requested resources; the strategy decision point module returns the judgment result to the strategy execution point module, and if the judgment result is that the access is granted, the strategy decision point module returns a resource address, a hash value and an access token; otherwise, returning rejection information; storing the judgment result into a log book of the block chain;
the data sharing module is used for carrying out authority verification on a data accessor when the authorized data accessor sends a data request to a service provider, obtaining corresponding individual data and a key corresponding to the individual data by the service provider after the authority verification is passed, and returning the corresponding individual data and the key corresponding to the individual data to the data accessor;
after the block link receives a storage request of a service provider, metadata of personal data provided by the service provider and an encryption key of the personal data are stored in a block chain account of a data owner corresponding to the personal data; the system comprises a data owner and a data storage module, wherein the data owner is used for storing an access control strategy, and the access control strategy is a logic expression based on attributes and is used for expressing a resource access strategy defined by the data owner; as an access control server, the blockchain performs identity authentication and authorization on a request for accessing the resource, and returns a resource address and an access token if the authentication is passed;
the distributed file system is an HDFS file system and is used for storing encrypted personal data, a plurality of backup files are set, and addresses of the backup files are stored in a NameNode of the HDFS file system; after the personal data is stored, the distributed file system returns the metadata of the personal data to the service provider, wherein the metadata comprises a hash value of a file for storing the personal data, a URL (uniform resource locator) address of the file and a URL address of a backup file.
According to a second aspect of the present invention, there is provided a classified and graded fitness health big data sharing method, the method is based on the classified and graded fitness health big data sharing system, the method comprises the following steps:
step S101: the data owner initiates an identity verification request to the block chain, after the verification is passed, the data owner uploads a fitness health data ciphertext to a service provider, and the block chain stores an access control strategy corresponding to the fitness health data ciphertext;
step S102: the service provider provides a health data ciphertext stored in the HDFS file system, and stores metadata and a data key corresponding to the health data ciphertext to a block chain;
step S103: after the access request of the data accessor is subjected to identity verification and access authorization through the block chain, metadata and a data key corresponding to the access data are obtained; and initiating a request to a service provider, acquiring a body building health data ciphertext through the proxy service conversion key and the HDFS file system, and locally decrypting the body building health data ciphertext by a data visitor to obtain plaintext data.
According to a third aspect of the invention, a classified and graded fitness health big data sharing system is provided, which comprises:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the instructions are for storage by the memory and for loading and executing the method by the processor.
According to a fourth aspect of the present invention, there is provided a computer-readable storage medium having a plurality of instructions stored therein; the plurality of instructions for being loaded by a processor and performing the method as described above.
According to the scheme, the classified and graded body building and health big data sharing system and method are provided, and the system mainly comprises four modules of user management, data management, access control and data sharing to achieve corresponding functions. The invention aims at the big data of fitness and health, constructs and optimizes data storage to data sharing based on the block chain, and realizes auditable access control records while ensuring classified and classified privacy protection of data. The invention has the following technical effects:
the invention starts from a sharing model and method of big fitness and health data, integrates data classification privacy protection, realizes hierarchical safe storage and fine-grained access control, and can trace the request verification, authorization and access records of a user, thereby ensuring the safety of module interaction.
In the aspect of data storage, data classification and classification are important in the data security management process, data classification can better manage and use data, and data classification provides support for data opening and sharing strategies. The fitness and health data are classified according to the relevant requirements of the national standard GB/T38667-one 2020 chapter 8, the data are classified based on the classification according to the potential influence range and degree caused by data tampering, leakage and the like, and encryption schemes with different strengths are adopted according to the classification result. The encrypted data are stored in a distributed file system (HDFS), and an encryption key of the file, a hash value of the file, a Uniform Resource Locator (URL) address of the file and a URL address of the copy are stored in a blockchain.
In the aspect of access control, the invention combines a block chain technology with an ABAC model to provide a distributed auditable access control model based on attributes, stores attribute information and strategy information into a block chain, and uses an intelligent contract to realize the increase, deletion, modification and check of the information and the judgment of access authority. Compared with other access control models such as ACL, the ABAC can realize dynamic fine-grained authorization, and because the access control of the ABAC is based on attributes rather than user identification, newly added users do not need to modify access strategies, thereby reducing the write operation of a block chain account book and improving the performance. After the access authorization passes, the blockchain stores the authorization record and returns the data address and the access token. When the data visitor accesses the resources in the HDFS of the service provider according to the data address, the authority verification service of the service provider verifies the access token, and if the verification is passed, the decryption key is returned. The above-described authentication operation enhances the security of resource access because even if the access token of the authorized user is leaked to the attacker, the attacker disguises itself as the authorized user access data only within its current validity period, and after expiration, the data owner re-authenticates and authorizes generation of a new access token.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. In the drawings:
FIG. 1 is a schematic diagram of a classified hierarchical fitness and health big data sharing system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a fitness and health data collection and storage method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of access control according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of policy book information according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating journal ledger information, in accordance with an embodiment of the present invention;
FIG. 6 is a diagram illustrating data sharing according to an embodiment of the present invention.
Detailed Description
Interpretation of terms:
block chains: the blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. The block chain stores the transaction ledger in the form of blocks, and connects the blocks by hash addresses. According to different admission authorities, the blockchains are mainly divided into three types, namely public chains, private chains and alliance chains. The public chain is characterized in that the public chain is completely decentralized and is not controlled by any organization, the private chain is provided with a set of strict identity authentication and authority control mechanism, and the alliance chain is between the public chain and the private chain and is commonly maintained by member organizations.
HyperLegger Fabric: HyperLegendr Fabric is an enterprise-level licensing distributed ledger framework for developing solutions and applications. The modularized and multifunctional design meets wide industrial use cases. It provides a unique consensus method that achieves large-scale performance while preserving privacy.
Body-building health big data: the body-building health data of the human body are continuously collected through wearable equipment or other terminals, the body-building health data comprise exercise data, electronic health records EHRs, electronic medical records EMRs and the like, relevant personnel obtaining access rights perform data analysis and processing, and data owners can obtain exercise suggestions, risk alarms, body health conditions and other analysis results.
Classifying and grading data: the safety law of the people's republic of China (draft) emphasizes classified and graded protection of data from the national legal level. By ranking the classification of the data, the specific value of the data to the organization is identified, and the appropriate policy is determined with which to protect the integrity, confidentiality and availability of the data. Data classification: according to the attribute or the characteristic of the organization data, the organization data are distinguished and classified according to certain principles and methods, and certain classification systems and arrangement sequences are established so as to better manage and use the process of organizing the data. According to the personal information safety standard of information safety technology GB/T35273-2020, fitness and health data can be divided into personal identity information and personal health physiological information. Data grading: and grading the classified organization data according to a certain grading principle, thereby providing a supporting process for the establishment of open and shared security strategies of the organization data. The classification principle of fitness health data is the size of the privacy impact of the data on an individual.
Cloud storage: cloud storage is a related storage technology generated by a cloud computing technology and a virtual storage technology, and can be abstracted into a four-layer storage model: the system comprises a storage layer, a basic management layer, an application interface layer and an access layer.
Hadoop: hadoop is a distributed infrastructure, realizes a distributed file system (HDFS), has the characteristic of high fault tolerance, and is suitable for application programs of large-scale data sets. The HDFS adopts a Master-Slave (Master/Slave) structure model, and an HDFS cluster consists of a NameNode and a plurality of DataNodes. The NameNode is used as a main server and used for managing the naming space of the file system and the access operation of a client to the file; the DataNode in the cluster manages the stored data.
Attribute-based access control (ABAC) model: the ABAC model is an access control model for providing a credible relation for distributed application, and determines an access control request for a resource through attributes. The core elements of the ABAC model include principals, resources, operations, and environmental constraints, which are uniformly represented using attributes and attribute values. Extensible access control markup language (XACML) is a typical policy description language in the ABAC environment.
Token (Token): token is a string of character strings generated by the server as an identifier of the client request. After the user logs in for the first time, the server generates a Token and returns the Token to the client, and the client only needs to take the Token request data later without taking the user name and the password again. Token can be classified into an Access Token, Session Token, Security Token, etc., where the Access Token contains Security credentials for a login Session and identifies a user, a user group, a user authority, and in some cases, a specific application.
Proxy re-encryption: the proxy re-encryption is to entrust a trusted third party or a semi-honest proxy, and convert the ciphertext encrypted by the public key of the authorizer into the ciphertext decipherable by the private key of the authorized, so as to realize password sharing.
Certificate Authority (CA): the CA is an organization that issues digital certificates, and is responsible for issuing certificates, authenticating certificates, and managing issued certificates.
Public Key Infrastructure (Public Key Infrastructure): PKI is used to implement functions of generating, managing, storing, distributing, and revoking keys and certificates based on the public key cryptography body f system.
X.509 certificate: the x.509 standard specifies what information a certificate may contain and describes the method (data format) by which the information is recorded.
First, a classified and graded fitness and health big data sharing system according to an embodiment of the present invention will be described with reference to fig. 1. As shown in fig. 1, the system includes:
the system comprises a user management module, a data management module, an access control module, a data sharing module, a block chain and a distributed file system;
the user management module is used for managing users of the classified grading fitness and health big data sharing system, the users comprise a data owner, a service provider and a data visitor, the data owner generates personal data, the service provider collects, manages and shares the personal data, and the data visitor accesses the personal data through an access control module of a block chain;
the data management module is used for encrypting the personal data by adopting different encryption levels according to the data sensitivity level of the personal data determined by the data owner; storing the encrypted personal data in a distributed file system through a data sharing interface of a service provider;
the access control module manages the access strategy of the personal data generated by the data owner and simultaneously realizes the access control of the personal data, and the access control module comprises a strategy information point module, a strategy management point module, a strategy decision point module and a strategy execution point module; the strategy information point module is used for collecting and integrating attribute information in advance, the attribute information comprises a user attribute, a resource attribute, an environment attribute and an operation attribute of a data visitor, the resource is a collection of a plurality of personal data, and the operation is an operation for a resource request; the strategy management point module is used for generating a control strategy according to the encryption level of personal data, and the access control strategy can be adjusted and updated by a data owner calling an intelligent contract; the policy enforcement point module receives a request of a data visitor for accessing resources, extracts data visitor, user, resources, environment and operation information in the request, and sends a request to the policy decision point module, and the policy decision point module performs access control judgment based on the attribute information of the policy information point module and the access control policy of the policy management point module, and judges whether the data visitor has the right to access the requested resources; the strategy decision point module returns the judgment result to the strategy execution point module, and if the judgment result is that the access is granted, the strategy decision point module returns a resource address, a hash value and an access token; otherwise, returning rejection information; storing the judgment result into a log book of the block chain;
the data sharing module is used for carrying out authority verification on a data accessor when the authorized data accessor sends a data request to a service provider, obtaining corresponding individual data and a key corresponding to the individual data by the service provider after the authority verification is passed, and returning the corresponding individual data and the key corresponding to the individual data to the data accessor;
after the block link receives a storage request of a service provider, metadata of personal data provided by the service provider and an encryption key of the personal data are stored in a block chain account of a data owner corresponding to the personal data; the system comprises a data owner and a data storage module, wherein the data owner is used for storing an access control strategy, and the access control strategy is a logic expression based on attributes and is used for expressing a resource access strategy defined by the data owner; as an access control server, the blockchain performs identity authentication and authorization on a request for accessing the resource, and returns a resource address and an access token if the authentication is passed;
the distributed file system is an HDFS file system and is used for storing encrypted personal data, a plurality of backup files are set, and addresses of the backup files are stored in a NameNode of the HDFS file system; after the personal data is stored, the distributed file system returns the metadata of the personal data to the service provider, wherein the metadata comprises a hash value of a file for storing the personal data, a URL (uniform resource locator) address of the file and a URL address of a backup file.
In this embodiment, the user management module and the data management module are both based on the perspective of a data owner, that is, the data using number, the access control module and the data sharing module constitute a resource by using a plurality of personal data from the perspective of data sharing, and the data visitor accesses the resource from the perspective of sharing.
The system further comprises a log module, wherein the log module is used for storing data generated by the user management module, the data management module, the access control module and the data sharing module, and comprises user data generated by the user management module, chain storage certificate of the data management module, attribute and strategy information of the access control module; the data sharing module makes an authorization judgment based on the information of the three modules, and the sharing module also records the sharing operation into the log module. The log module is also used for storing metadata and encryption keys generated by the data management module, and attribute information, access control policies and authorization results of the access requests of the access control module. When a data accessor sends a resource access request to the data sharing module, an authorization result in the log module is used for verifying the validity of the access token and the operation compliance, if the verification is passed, the metadata and the encryption key are returned, and meanwhile, the log module updates the access record of the resource.
In this embodiment, the user management module is a component of the federation chain Hyperider Fabric, and is matched with the overall architecture of the block chain to implement user certificate issuance. The data management module, the access control module and the data sharing module are realized based on an intelligent contract and are deployed on the block chain.
In this embodiment, the block chain is a federation chain Hyperleder Fabric, all members of the Fabric can join the block chain after authorization, an admission mechanism of the block chain is more flexible than a private chain, a transaction throughput is higher than a public chain, and all modules are pluggable, so that the block chain is suitable for requirements of security, high efficiency and customizability required by a body-building health big data scene. The blockchain is responsible for authentication of the user.
The user management module manages data owners, service providers and data visitors of the big data sharing system based on a membership management service MSP of Fabric. The MSP is a user certificate and private key system established based on the PKI system, and encapsulates certificate issuance, user authentication, encryption mechanisms and protocols, and the embodiment uses the Fabric CA service to generate the x.509 certificate. All users realize registration and certificate issuance through REST API, and the Fabric CA supports the postponing and revocation of certificates and the like, so that the method is suitable for scenes that members of a big data sharing system change frequently.
As shown in fig. 2, in the data management module, the encrypting the personal data with different encryption levels according to the data sensitivity level of the personal data determined by the data owner includes: after the data owner generates personal data, the data owner determines the data type of the personal data and the data sensitivity degree labels of the personal data, wherein the data sensitivity degree labels are four kinds of public data, general sensitive data, highly sensitive data and extremely sensitive data; after the data owner determines the data type of the personal data and the data sensitivity degree label of the personal data, an encryption module configured at a client of the data owner adopts DES and AES symmetric encryption algorithms with different key lengths to realize different levels of encryption of the personal data. In order to avoid potential safety hazards of the symmetric encryption key in the transmission and storage processes, the public key pk _ DO of the data owner is used for encrypting the key to obtain the encryption key Co. The data owner then initiates a storage request to the service provider, with the request parameters including the data owner's public key, encryption level, and encrypted data.
In this embodiment, the data sensitivity level tag is set according to a potential influence range and a potential influence level caused by data tampering and leakage. After the data storage is completed, the HDFS returns metadata including information such as a hash value of a file storing personal data, a URL address of the file, a URL address of a backup file, and the like to a service provider. Since the URL addresses (including the URL address of the file, the URL address of the backup file) are stored in the blockchain later, there is a risk of resource address leakage, so all the contents in the metadata are encrypted using the public key of the service provider. The service provider initiates a storage request to the blockchain, stores the metadata and the encryption key of the file to the blockchain account of the data owner, and realizes the confirmation of the ownership of the data, the data cannot be tampered and the management of the encryption key. In the embodiment, safe storage of different encryption levels is realized based on data classification and classification, and meanwhile, a storage scheme for storing encrypted data under a chain, storing metadata on the chain and a data key is provided in consideration of the lower direct uplink storage performance of the original encrypted data, so that data ownership confirmation, data efficient storage and data tamper resistance can be supported.
As shown in fig. 3, the access control module is constructed by an attribute-based access control model (ABAC access control model), where the ABAC access control model includes a Policy Information Point (PIP), a Policy Administration Point (PAP), a Policy Decision Point (PDP), and a Policy Enforcement Point (PEP); the PIP is used for managing entity attribute information; PAP is used to manage access control policies; the PDP is used to make access control decisions; the PEP is used to receive the access request and execute the decision result. In the embodiment, the PIP, the PAP and the PDP are implemented by using an intelligent contract, and the PEP is used as an access control client to perform access control interaction with the blockchain.
In this embodiment, the access control method of the resource is divided into two stages: an initialization phase and a policy enforcement phase.
In the initialization stage, the PIP collects and integrates attribute information in advance, the attribute information comprises user attributes, resource attributes, environment attributes and operation attributes, meanwhile, the PAP generates an initial access control strategy according to the encryption level of the file, and a data owner can call an intelligent contract to update the access control strategy.
In the execution phase, the PEP receives a request of a user for accessing the resource, extracts user, resource, environment and operation information in the request, and sends the request to the PDP, and the PDP performs access control judgment by combining the PIP and the PAP. And then the PDP returns the judgment result to the PEP, if the PEP agrees to access, the PDP returns a resource address, a hash value, an access token and the like, otherwise, the PDP returns rejection information, and meanwhile, the judgment result is recorded into a log book.
The invention realizes fine-grained access control based on the ABAC access control model, and realizes auditable traceability of access records by combining the access control model with the block chain. Because the block chain has the characteristics of decentralization and non-tampering, the method stores the strategy information in the block chain, so that the strategy information is verifiable, traceable and non-tampering for anyone, and the problems of single point failure and opaque authorization decision existing in centralized access control are solved. In addition, the judgment process of the access control strategy is realized in the form of an intelligent contract, so that the correct implementation of the access control strategy is ensured, and the human intervention is avoided. The invention adopts the distributed access control model based on the attribute to realize fine-grained access control, can support a data owner to establish a sharing strategy, and simultaneously ensures the non-tampering property, the auditability and the verifiability of the access control information.
Fig. 4 and 5 show specific contents of the policy ledger and the journal ledger in fig. 3, and the meanings of the fields in the ledger are explained with reference to table 1 and table 2. As shown in fig. 4, the access control ledger takes the public key of the data owner and the public key of the service provider as keys, and value is managed by taking a file as granularity, wherein the content in policy is initialized according to the level of the file, and for the example in fig. 4, the initialization policy representing the secondary encryption level is that manager has the right to read and write the file. The strategy making mode can not only make a proper strategy according to the classification and grading of the files, but also reduce the interaction operation between a user and a block chain. After the access control is determined, the log book log _ hedger records the authorization information, as shown in fig. 5, the unique identifier is the public key of the data owner, the public key of the service provider, and the public key of the data visitor, where the access token access _ token is a random string as an authorization credential, and the expiration time expires _ interval and the update time refresh _ count are used to monitor the access _ token.
TABLE 1 policy Account field meanings
Figure BDA0003433462340000121
Figure BDA0003433462340000131
Table 2 journal ledger field meanings
Figure BDA0003433462340000132
As shown in fig. 6, in the data sharing module, after obtaining authorization, the data accessor initiates an access request carrying a public key, an access token and a resource address to a service provider through a data sharing interface, the permission verification service confirms validity of the access token and compliance of operation according to a block chain log book, and if the verification is passed, returns metadata information such as a data encryption key Co, a resource address URL, a file hash value and the like, and updates the log book at the same time;
the authority verification service carries Co and the public key of the data visitor and initiates a request to the proxy service to execute proxy re-encryption, wherein the proxy re-encryption comprises the following steps: initiating a request to a data owner, wherein the data owner generates a re-encryption key rk by using a re-encryption key generation algorithm ReKeyGen according to a private key sk _ DO of the data owner and a public key pk _ DP of a data visitor, then the data owner returns rk to the proxy service, the proxy service re-encrypts an encryption key Co into a re-encryption key Cp by using re-encryption algorithms ReEnc and rk, and returns the re-encryption key Cp to a data sharing interface;
the data sharing interface decrypts the metadata by using a private key of a service provider, takes out a symmetric encrypted ciphertext C from the HDFS file system according to a resource address URL, and returns the symmetric encrypted ciphertext C, the re-encryption key Cp and the hash value to a data visitor, the data visitor decrypts a symmetric encryption key by using the private key sk _ DP of the data visitor, and then decrypts the ciphertext C by using the key to obtain a plaintext M, and data integrity verification can be performed on the M according to the hash value.
In this embodiment, after the data visitor passes the authorization, the data visitor may carry the access token to initiate a data request to the service provider. After receiving the request, the service provider firstly verifies the validity of the access token, and returns the encrypted data to the data visitor after the verification is passed. There are two schemes for the data visitor to obtain the symmetric key of the data: the first is that the data owner uses the private key to decrypt the symmetric key, then uses the public key of the data visitor to encrypt the symmetric key and shares the symmetric key to the data visitor, and the second is that the symmetric key of the public key of the data owner is encrypted by proxy re-encryption, and the conversion key is calculated by proxy service and converted into the symmetric key which can be decrypted by the private key of the data visitor. Now, it is assumed that a certain data owner owns N data, each data corresponds to a symmetric key, M data visitors want to access the N data, the data owner of the first scheme needs to decrypt the N encryption keys first and then encrypt the symmetric keys using public keys of the M data visitors, respectively, so that the total number of calculations of the data owner is M × N, while the data owner of the second scheme only needs to generate re-encryption keys for the M data visitors and place a specific re-encryption process on a proxy service of a service provider, so that the total number of calculations of the data owner is M. The computing power of the service provider is far better than that of the data owner, so the second scheme reduces the computing pressure of the data owner, and the whole proxy re-encryption process cannot leak any plaintext information to the service provider, so the second scheme is used for ensuring safe and efficient key conversion.
Aiming at big fitness and health data, the invention designs a sharing system and a method for data classification and grading privacy protection and auditable user operation; the user management function of the fitness and health big data sharing platform is realized based on the alliance chain, and privacy protection and safety audit on the identity of the user can be supported; the safe storage of different encryption levels is realized based on data classification and classification, and meanwhile, the storage schemes of storing the encrypted data under the link, storing the metadata and the data key on the link are provided in consideration of the lower direct chaining storage performance of the original encrypted data, so that the data ownership confirmation, the efficient data storage and the data tamper resistance can be supported; the distributed access control model based on the attribute is adopted to realize fine-grained access control, so that a data owner can be supported to formulate a sharing strategy, and the non-tampering property, the auditability and the verifiability of the access control information are ensured; the authentication operation based on the access token realizes the security of resource access, and the security of data decryption is ensured based on the agent re-encryption.
The following describes a classified and graded fitness and health big data sharing method according to an embodiment of the present invention, the method is applied to the classified and graded fitness and health big data sharing system, and the method comprises the following steps:
step S101: the data owner initiates an identity verification request to the block chain, after the verification is passed, the data owner uploads a fitness health data ciphertext to a service provider, and the block chain stores an access control strategy corresponding to the fitness health data ciphertext;
step S102: the service provider provides a health data ciphertext stored in the HDFS file system, and stores metadata and a data key corresponding to the health data ciphertext to a block chain;
step S103: after the access request of the data accessor is subjected to identity verification and access authorization through the block chain, metadata and a data key corresponding to the access data are obtained; and initiating a request to a service provider, acquiring a body building health data ciphertext through the proxy service conversion key and the HDFS file system, and locally decrypting the body building health data ciphertext by a data visitor to obtain plaintext data.
The invention provides a classified grading fitness health big data sharing system, which comprises:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the instructions are for storage by the memory and for loading and executing the method by the processor.
The present invention provides a computer-readable storage medium having stored therein a plurality of instructions; the plurality of instructions for being loaded by a processor and performing the method as described above.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a physical machine Server, or a network cloud Server, etc., and needs to install a Windows or Windows Server operating system) to perform some steps of the method according to various embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification, equivalent change and modification made to the above embodiment according to the technical spirit of the present invention are still within the scope of the technical solution of the present invention.

Claims (7)

1. A classified hierarchical fitness health big data sharing system, the system comprising:
the system comprises a user management module, a data management module, an access control module, a data sharing module, a block chain and a distributed file system;
the user management module is used for managing users of the classified grading fitness and health big data sharing system, the users comprise a data owner, a service provider and a data visitor, the data owner generates personal data, the service provider collects, manages and shares the personal data, and the data visitor accesses the personal data through an access control module of a block chain;
the data management module is used for encrypting the personal data by adopting different encryption levels according to the data sensitivity level of the personal data determined by the data owner; storing the encrypted personal data in a distributed file system through a data sharing interface of a service provider;
the access control module manages the access strategy of the personal data generated by the data owner and simultaneously realizes the access control of the personal data, and the access control module comprises a strategy information point module, a strategy management point module, a strategy decision point module and a strategy execution point module; the strategy information point module is used for collecting and integrating attribute information in advance, the attribute information comprises a user attribute, a resource attribute, an environment attribute and an operation attribute of a data visitor, the resource is a collection of a plurality of personal data, and the operation is an operation for a resource request; the strategy management point module is used for generating a control strategy according to the encryption level of personal data, and the access control strategy can be adjusted and updated by a data owner calling an intelligent contract; the policy enforcement point module receives a request of a data visitor for accessing resources, extracts data visitor, user, resources, environment and operation information in the request, and sends a request to the policy decision point module, and the policy decision point module performs access control judgment based on the attribute information of the policy information point module and the access control policy of the policy management point module, and judges whether the data visitor has the right to access the requested resources; the strategy decision point module returns the judgment result to the strategy execution point module, and if the judgment result is that the access is granted, the strategy decision point module returns a resource address, a hash value and an access token; otherwise, returning rejection information; storing the judgment result into a log book of the block chain;
the data sharing module is used for carrying out authority verification on a data accessor when the authorized data accessor sends a data request to a service provider, obtaining corresponding individual data and a key corresponding to the individual data by the service provider after the authority verification is passed, and returning the corresponding individual data and the key corresponding to the individual data to the data accessor;
after the block link receives a storage request of a service provider, metadata of personal data provided by the service provider and an encryption key of the personal data are stored in a block chain account of a data owner corresponding to the personal data; the system comprises a data owner and a data storage module, wherein the data owner is used for storing an access control strategy, and the access control strategy is a logic expression based on attributes and is used for expressing a resource access strategy defined by the data owner; as an access control server, the blockchain performs identity authentication and authorization on a request for accessing the resource, and returns a resource address and an access token if the authentication is passed;
the distributed file system is an HDFS file system and is used for storing encrypted personal data, a plurality of backup files are set, and addresses of the backup files are stored in a NameNode of the HDFS file system; after the personal data is stored, the distributed file system returns the metadata of the personal data to the service provider, wherein the metadata comprises a hash value of a file for storing the personal data, a URL (uniform resource locator) address of the file and a URL address of a backup file.
2. The system of claim 1, wherein the system comprises a log module, the log module is for storing data generated by the user management module, the data management module, the access control module, and the data sharing module, and comprises user data generated by the user management module, chain credentials of the data management module, attributes of the access control module, and policy information; the data sharing module makes an authorization judgment based on the information of the three modules, and the sharing module also records the sharing operation to the log module; the log module is also used for storing metadata and an encryption key generated by the data management module, and attribute information, an access control strategy and an authorization result of the access request of the access control module; when a data accessor sends a resource access request to the data sharing module, an authorization result in the log module is used for verifying the validity of the access token and the operation compliance, if the verification is passed, the metadata and the encryption key are returned, and meanwhile, the log module updates the access record of the resource.
3. The system of claim 2, wherein said encrypting the personal data with different levels of encryption based on a data sensitivity level of the personal data determined by a data owner comprises: after the data owner generates personal data, the data owner determines the data type of the personal data and the data sensitivity degree labels of the personal data, wherein the data sensitivity degree labels comprise four types, namely public data, general sensitive data, highly sensitive data and extremely sensitive data; after the data owner determines the data type of the personal data and the data sensitivity degree label of the personal data, an encryption module configured at a client of the data owner adopts DES and AES symmetric encryption algorithms with different key lengths to realize different levels of encryption of the personal data.
4. The system of claim 3, wherein in the data sharing module, after the data visitor obtains authorization, an access request carrying a public key, an access token and a resource address is initiated to a service provider through a data sharing interface, the permission verification service confirms validity of the access token and compliance of operation according to a block chain log book, and if the verification is passed, metadata information such as a data encryption key Co, a resource address URL, a file hash value and the like is returned, and the log book is updated at the same time;
the authority verification service carries Co and the public key of the data visitor and initiates a request to the proxy service to execute proxy re-encryption, wherein the proxy re-encryption comprises the following steps: initiating a request to a data owner, wherein the data owner generates a re-encryption key rk by using a re-encryption key generation algorithm ReKeyGen according to a private key sk _ DO of the data owner and a public key pk _ DP of a data visitor, then the data owner returns rk to the proxy service, the proxy service re-encrypts an encryption key Co into a re-encryption key Cp by using re-encryption algorithms ReEnc and rk, and returns the re-encryption key Cp to a data sharing interface;
the data sharing interface decrypts the metadata by using a private key of a service provider, takes out a symmetrically encrypted ciphertext C from the HDFS file system according to a resource address URL, and returns the symmetrically encrypted ciphertext C, a re-encryption key Cp and a hash value to a data visitor, the data visitor decrypts a symmetric encryption key by using the private key sk _ DP of the data visitor, and then decrypts the ciphertext C by using the key to obtain a plaintext M, and data integrity verification can be performed on the M according to the hash value.
5. A classified hierarchical fitness health big data sharing method, the method being based on the system according to any one of claims 1-4, the method comprising the steps of:
step S101: the data owner initiates an identity verification request to the block chain, after the verification is passed, the data owner uploads a fitness health data ciphertext to a service provider, and the block chain stores an access control strategy corresponding to the fitness health data ciphertext;
step S102: the service provider provides a health data ciphertext stored in the HDFS file system, and stores metadata and a data key corresponding to the health data ciphertext to a block chain;
step S103: after the access request of the data accessor is subjected to identity verification and access authorization through the block chain, metadata and a data key corresponding to the access data are obtained; and initiating a request to a service provider, acquiring a body building health data ciphertext through the proxy service conversion key and the HDFS file system, and locally decrypting the body building health data ciphertext by a data visitor to obtain plaintext data.
6. A categorical hierarchical fitness health big data sharing system, comprising:
a processor for executing a plurality of instructions;
a memory to store a plurality of instructions;
wherein the plurality of instructions are for storage by the memory and for loading and execution by the processor of the method of claim 5.
7. A computer-readable storage medium having stored therein a plurality of instructions; the plurality of instructions for being loaded by a processor and for performing the method of claim 5.
CN202111609681.8A 2021-12-24 2021-12-24 Classified and graded body-building health big data sharing system and method Active CN114513533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111609681.8A CN114513533B (en) 2021-12-24 2021-12-24 Classified and graded body-building health big data sharing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111609681.8A CN114513533B (en) 2021-12-24 2021-12-24 Classified and graded body-building health big data sharing system and method

Publications (2)

Publication Number Publication Date
CN114513533A true CN114513533A (en) 2022-05-17
CN114513533B CN114513533B (en) 2023-06-27

Family

ID=81547642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111609681.8A Active CN114513533B (en) 2021-12-24 2021-12-24 Classified and graded body-building health big data sharing system and method

Country Status (1)

Country Link
CN (1) CN114513533B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978771A (en) * 2022-07-26 2022-08-30 成都云智数安科技有限公司 Data security sharing method and system based on block chain technology
CN115208697A (en) * 2022-09-15 2022-10-18 广州万协通信息技术有限公司 Adaptive data encryption method and device based on attack behavior
CN115296845A (en) * 2022-07-01 2022-11-04 中国科学院计算技术研究所 Medical data hierarchical access control method and system based on attribute encryption
CN115859345A (en) * 2022-11-10 2023-03-28 广州益涛网络科技有限公司 Data access management method and system based on block chain
CN115935400A (en) * 2023-03-10 2023-04-07 山东科技职业学院 Data encryption storage system based on industrial internet
CN116232704A (en) * 2023-02-13 2023-06-06 广州大学 Data controlled access method and system based on XACML and intelligent contract
CN116304228A (en) * 2023-05-25 2023-06-23 中国信息通信研究院 Block chain-based data storage method, device, equipment and medium
CN116340366A (en) * 2023-05-25 2023-06-27 中国信息通信研究院 Block chain-based data sharing storage method, device, equipment and medium
CN116599647A (en) * 2023-06-29 2023-08-15 中国电信股份有限公司 Information processing method, service node, blockchain network, and storage medium
CN116611116A (en) * 2023-07-21 2023-08-18 江苏华存电子科技有限公司 Data secure storage management method and system
CN116702216A (en) * 2023-08-07 2023-09-05 菏泽市自然资源和规划局 Multi-level access control method and device for real estate data
CN117056983A (en) * 2023-10-13 2023-11-14 ***紫金(江苏)创新研究院有限公司 Multistage controllable data sharing authorization method, device and blockchain system
CN117544622A (en) * 2023-11-07 2024-02-09 翼健(上海)信息科技有限公司 User-controllable privacy data authorization sharing method, system and medium
CN117854663A (en) * 2024-03-07 2024-04-09 泛喜健康科技有限公司 Patient health data management system based on identity information identification
CN117880305A (en) * 2023-11-20 2024-04-12 北京易华录信息技术股份有限公司 Government affair data open sharing method and system based on blockchain
CN117854663B (en) * 2024-03-07 2024-05-31 泛喜健康科技有限公司 Patient health data management system based on identity information identification

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation
CN108600169A (en) * 2018-03-19 2018-09-28 中山大学 A kind of HBase fine-grained access control methods based on encryption technology
CN111079191A (en) * 2020-01-09 2020-04-28 内蒙古大学 CP-ABE access control scheme based on block chain
CN111181719A (en) * 2019-12-30 2020-05-19 山东师范大学 Hierarchical access control method and system based on attribute encryption in cloud environment
CN111191288A (en) * 2019-12-30 2020-05-22 中电海康集团有限公司 Block chain data access authority control method based on proxy re-encryption
CN111343001A (en) * 2020-02-07 2020-06-26 复旦大学 Social data sharing system based on block chain
CN111914269A (en) * 2020-07-07 2020-11-10 华中科技大学 Data security sharing method and system under block chain and cloud storage environment
US20200404023A1 (en) * 2017-11-09 2020-12-24 University Of Science & Technology Beijing Method and system for cryptographic attribute-based access control supporting dynamic rules
US20210006400A1 (en) * 2018-03-19 2021-01-07 Huawei Technologies Co., Ltd. Method and apparatus for controlling data access right
CN112688927A (en) * 2020-12-18 2021-04-20 重庆大学 Block chain-based distributed access control method
CN112836229A (en) * 2021-02-10 2021-05-25 北京深安信息科技有限公司 Attribute-based encryption and block-chaining combined trusted data access control scheme
CN112863629A (en) * 2021-03-22 2021-05-28 山东勤成健康科技股份有限公司 Block chain-based medical electronic medical record distributed management system and preparation method thereof
CN112910840A (en) * 2021-01-14 2021-06-04 重庆邮电大学 Medical data storage and sharing method and system based on alliance blockchain
CN112989415A (en) * 2021-03-23 2021-06-18 广东工业大学 Private data storage and access control method and system based on block chain
CN113449014A (en) * 2021-06-28 2021-09-28 电子科技大学 Selective cloud data query system based on block chain
CN113486082A (en) * 2021-06-28 2021-10-08 电子科技大学 Outsourcing data access control system based on block chain
CN113595971A (en) * 2021-06-02 2021-11-02 云南财经大学 Block chain-based distributed data security sharing method, system and computer readable medium
CN113779612A (en) * 2021-09-30 2021-12-10 国网湖南省电力有限公司 Data sharing method and system based on block chain and hidden strategy attribute encryption

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991278A (en) * 2016-07-11 2016-10-05 河北省科学院应用数学研究所 Ciphertext access control method based on CP-ABE (Ciphertext-Policy Attribute-Based Encryption)
CN106992988A (en) * 2017-05-11 2017-07-28 浙江工商大学 A kind of cross-domain anonymous resource sharing platform and its implementation
US20200404023A1 (en) * 2017-11-09 2020-12-24 University Of Science & Technology Beijing Method and system for cryptographic attribute-based access control supporting dynamic rules
CN108600169A (en) * 2018-03-19 2018-09-28 中山大学 A kind of HBase fine-grained access control methods based on encryption technology
US20210006400A1 (en) * 2018-03-19 2021-01-07 Huawei Technologies Co., Ltd. Method and apparatus for controlling data access right
CN111181719A (en) * 2019-12-30 2020-05-19 山东师范大学 Hierarchical access control method and system based on attribute encryption in cloud environment
CN111191288A (en) * 2019-12-30 2020-05-22 中电海康集团有限公司 Block chain data access authority control method based on proxy re-encryption
CN111079191A (en) * 2020-01-09 2020-04-28 内蒙古大学 CP-ABE access control scheme based on block chain
CN111343001A (en) * 2020-02-07 2020-06-26 复旦大学 Social data sharing system based on block chain
CN111914269A (en) * 2020-07-07 2020-11-10 华中科技大学 Data security sharing method and system under block chain and cloud storage environment
CN112688927A (en) * 2020-12-18 2021-04-20 重庆大学 Block chain-based distributed access control method
CN112910840A (en) * 2021-01-14 2021-06-04 重庆邮电大学 Medical data storage and sharing method and system based on alliance blockchain
CN112836229A (en) * 2021-02-10 2021-05-25 北京深安信息科技有限公司 Attribute-based encryption and block-chaining combined trusted data access control scheme
CN112863629A (en) * 2021-03-22 2021-05-28 山东勤成健康科技股份有限公司 Block chain-based medical electronic medical record distributed management system and preparation method thereof
CN112989415A (en) * 2021-03-23 2021-06-18 广东工业大学 Private data storage and access control method and system based on block chain
CN113595971A (en) * 2021-06-02 2021-11-02 云南财经大学 Block chain-based distributed data security sharing method, system and computer readable medium
CN113449014A (en) * 2021-06-28 2021-09-28 电子科技大学 Selective cloud data query system based on block chain
CN113486082A (en) * 2021-06-28 2021-10-08 电子科技大学 Outsourcing data access control system based on block chain
CN113779612A (en) * 2021-09-30 2021-12-10 国网湖南省电力有限公司 Data sharing method and system based on block chain and hidden strategy attribute encryption

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115296845A (en) * 2022-07-01 2022-11-04 中国科学院计算技术研究所 Medical data hierarchical access control method and system based on attribute encryption
CN114978771A (en) * 2022-07-26 2022-08-30 成都云智数安科技有限公司 Data security sharing method and system based on block chain technology
CN115208697A (en) * 2022-09-15 2022-10-18 广州万协通信息技术有限公司 Adaptive data encryption method and device based on attack behavior
CN115859345A (en) * 2022-11-10 2023-03-28 广州益涛网络科技有限公司 Data access management method and system based on block chain
CN115859345B (en) * 2022-11-10 2023-09-22 湖北华中电力科技开发有限责任公司 Data access management method and system based on block chain
CN116232704A (en) * 2023-02-13 2023-06-06 广州大学 Data controlled access method and system based on XACML and intelligent contract
CN116232704B (en) * 2023-02-13 2024-05-03 广州大学 Data controlled access method and system based on XACML and intelligent contract
CN115935400A (en) * 2023-03-10 2023-04-07 山东科技职业学院 Data encryption storage system based on industrial internet
CN116304228A (en) * 2023-05-25 2023-06-23 中国信息通信研究院 Block chain-based data storage method, device, equipment and medium
CN116340366A (en) * 2023-05-25 2023-06-27 中国信息通信研究院 Block chain-based data sharing storage method, device, equipment and medium
CN116599647B (en) * 2023-06-29 2023-09-29 中国电信股份有限公司 Information processing method, service node, blockchain network, and storage medium
CN116599647A (en) * 2023-06-29 2023-08-15 中国电信股份有限公司 Information processing method, service node, blockchain network, and storage medium
CN116611116B (en) * 2023-07-21 2023-11-17 江苏华存电子科技有限公司 Data secure storage management method and system
CN116611116A (en) * 2023-07-21 2023-08-18 江苏华存电子科技有限公司 Data secure storage management method and system
CN116702216B (en) * 2023-08-07 2023-11-03 菏泽市自然资源和规划局 Multi-level access control method and device for real estate data
CN116702216A (en) * 2023-08-07 2023-09-05 菏泽市自然资源和规划局 Multi-level access control method and device for real estate data
CN117056983A (en) * 2023-10-13 2023-11-14 ***紫金(江苏)创新研究院有限公司 Multistage controllable data sharing authorization method, device and blockchain system
CN117056983B (en) * 2023-10-13 2024-01-02 ***紫金(江苏)创新研究院有限公司 Multistage controllable data sharing authorization method, device and blockchain system
CN117544622A (en) * 2023-11-07 2024-02-09 翼健(上海)信息科技有限公司 User-controllable privacy data authorization sharing method, system and medium
CN117880305A (en) * 2023-11-20 2024-04-12 北京易华录信息技术股份有限公司 Government affair data open sharing method and system based on blockchain
CN117854663A (en) * 2024-03-07 2024-04-09 泛喜健康科技有限公司 Patient health data management system based on identity information identification
CN117854663B (en) * 2024-03-07 2024-05-31 泛喜健康科技有限公司 Patient health data management system based on identity information identification

Also Published As

Publication number Publication date
CN114513533B (en) 2023-06-27

Similar Documents

Publication Publication Date Title
CN114513533B (en) Classified and graded body-building health big data sharing system and method
Thwin et al. Blockchain-based access control model to preserve privacy for personal health record systems
Liang et al. PDPChain: A consortium blockchain-based privacy protection scheme for personal data
Xu et al. Healthchain: A blockchain-based privacy preserving scheme for large-scale health data
Saini et al. A smart-contract-based access control framework for cloud smart healthcare system
US11102008B2 (en) Trust and identity management systems and methods
Fabian et al. Collaborative and secure sharing of healthcare data in multi-clouds
De Oliveira et al. Towards a blockchain-based secure electronic medical record for healthcare applications
Zhu et al. Digital asset management with distributed permission over blockchain and attribute-based access control
CN113132103B (en) Data cross-domain security sharing system and method
CN105027107B (en) Migrate the computer implemented method and computing system of computing resource
CN110957025A (en) Medical health information safety management system
CN105122265B (en) Data safety service system
Azbeg et al. Access control and privacy-preserving blockchain-based system for diseases management
KR101220160B1 (en) Secure data management method based on proxy re-encryption in mobile cloud environment
KR101701304B1 (en) Method and system for managing medical data using attribute-based encryption in cloud environment
T. de Oliveira et al. A break-glass protocol based on ciphertext-policy attribute-based encryption to access medical records in the cloud
Thummavet et al. A novel personal health record system for handling emergency situations
Al-Hamdani Cryptography based access control in healthcare web systems
Gao et al. Blockchain based secure IoT data sharing framework for SDN-enabled smart communities
EP3817320B1 (en) Blockchain-based system for issuing and validating certificates
Li et al. Electronic medical record sharing system based on hyperledger fabric and interplanetary file system
George et al. MediTrans—Patient‐centric interoperability through blockchain
Annane et al. Cx‐CP‐ABE: Context‐aware attribute‐based access control schema and blockchain technology to ensure scalable and efficient health data privacy
Mavridis et al. Access control based on attribute certificates for medical intranet applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant