CN114520747B - Data security sharing system and method taking data as center - Google Patents
Data security sharing system and method taking data as center Download PDFInfo
- Publication number
- CN114520747B CN114520747B CN202210417866.7A CN202210417866A CN114520747B CN 114520747 B CN114520747 B CN 114520747B CN 202210417866 A CN202210417866 A CN 202210417866A CN 114520747 B CN114520747 B CN 114520747B
- Authority
- CN
- China
- Prior art keywords
- data
- chain
- access
- sub
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of data security sharing and privacy protection, and discloses a data security sharing system and a data security sharing method taking data as a center, wherein the data security sharing system and the data security sharing method are deployed in a multi-subchain layering parallel mode; the method comprises the following steps: a data storage layer configured to: the organization management and the encryption storage of the data are realized; a data distribution layer configured to: the data owning terminal sets a data access control strategy according to the attribute of the data using terminal, encrypts data by combining the data access control strategy and releases data resources in a block chain; a data control layer configured to: setting a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on a alliance chain; the method and the system realize user identity management, access control, data sharing transaction and full-text retrieval of ciphertext data. The cross-application data right confirming, safe sharing and ordered circulation are achieved, and unauthorized access and privacy disclosure are avoided.
Description
Technical Field
The invention relates to the technical field of data security sharing and privacy protection, in particular to a data security sharing system and method taking data as a center.
Background
The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
With the explosive growth of user data and the development of cloud storage services, more and more applications deposit data in the cloud.
As shown in fig. 1, conventional application programs and data directly interact with each other, and this way faces many challenges, and on one hand, data types and storage ways of different applications are complex and diverse, which brings difficulty to access and share data; secondly, the safe storage and processing of the data are realized by the application programs, the data sharing is carried out in different application programs, the data and the privacy information are easily leaked, the data generated by the user in various application programs APP is difficult to eliminate after the account is cancelled, and an effective technical means is lacked to protect the privacy and the 'forgotten right' of the user.
In addition, data is mostly stored in the cloud in a plaintext form, and in the data cloud process, the data internet access process, the network storage process, the third-party data center hosting process, the big data analysis process, the data sharing transaction process and the like, a user loses the control right on the data, the confidentiality, the integrity and the usability of the user data cannot be guaranteed, and the user data is exposed to security risks of being leaked, tampered, illegally obtained and utilized and the like. How to ensure the control of electronic data by data owners has been one of the technical problems in the field of information security, and has evolved into a pain point in the field of data security.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a data security sharing system and a data security sharing method taking data as a center; establishing a data management system facing to a data full life cycle to realize protection and supervision management on data safety; various applications complete the publishing, transmission, storage, access, retrieval, sharing and circulation of data through a uniform calling specification, so that the data authentication, safe sharing and ordered circulation of cross-application are realized, and unauthorized access and privacy disclosure are avoided.
The invention provides a data security sharing system taking data as a center in a first aspect;
a data security sharing system taking data as a center is deployed in a multi-subchain layering parallel mode; the method comprises the following steps:
a data storage layer configured to: the organization management and the encryption storage of the data are realized;
a data distribution layer configured to: the data owner sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy, and releases data resources in a block chain;
a data control layer configured to: setting a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on a alliance chain; so as to realize user identity management, access control, data sharing transaction and full text retrieval of ciphertext data.
The second aspect of the invention provides a data security sharing method taking data as a center;
a data-centric data security sharing method comprises the following steps:
the data storage layer realizes organization management and encrypted storage of data;
the data owner of the data distribution layer sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy and distributes data resources in a block chain;
the data control layer sets a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on the alliance chain; the method and the system realize user identity management, access control, data sharing transaction and full-text retrieval of ciphertext data.
Compared with the prior art, the invention has the beneficial effects that:
1. a new privacy data security management and application mode is established, the unification of data ownership and management rights is guaranteed, and the problem of cross-application data accuracy rights, security sharing and ordered circulation is solved.
2. And formulating a data organization specification, organizing multi-party multi-source data according to the specification to form data in a unified format, so that the data of different application programs can be shared and shared through a unified calling specification.
3. A credible cooperation mechanism of data on the chain and the chain is provided, machine learning training process and ciphertext full-text retrieval are migrated to be executed under the chain, the chain migration of intensive computing service and the simplification of contracts on the chain are achieved, and the service execution efficiency is greatly improved. In the whole process, the data access end acquires the result of machine learning training or retrieval, and the machine learning subchain and the data retrieval subchain provide data support under the condition of protecting privacy, so that the reliability and confidentiality of data are enhanced, and the 'available invisibility' of the data in the circulation process is realized.
4. In the data storage and access processes, data are transmitted and stored in an encrypted state, visitors outside the data access authority cannot acquire data plaintext, even a cloud storage provider cannot directly access the plaintext data, the problem of data leakage caused by an untrusted third-party service provider is solved, and the data security and the privacy/forgetting right of a user are guaranteed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the invention and not to limit the invention.
FIG. 1 illustrates an interaction pattern of an application and data in a conventional mode;
fig. 2 is a data interaction mode in the novel data management system according to the first embodiment of the present invention;
FIG. 3 is a flowchart of data processing according to a first embodiment of the present invention;
FIG. 4 is a flowchart illustrating a data publishing process according to a first embodiment of the present invention;
FIG. 5 is a flow chart of data access according to a first embodiment of the present invention;
FIG. 6 is a flowchart illustrating data mining according to a first embodiment of the present invention;
FIG. 7 is a flowchart illustrating a full text search process according to a first embodiment of the present invention;
FIG. 8 is a supervision flow chart according to a first embodiment of the present invention;
fig. 9 is a flowchart of data deletion according to a first embodiment of the present invention.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the invention. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
All data are legally applied to the data on the basis of meeting laws and regulations and user consent.
Interpretation of terms:
SGX: SGX (software guard extensions) is a new extension of the Intel system, and a new set of instruction sets and memory access mechanisms are added to the original system. These extensions allow applications to implement a container called enclave that partitions a protected area within the application's address space, providing protection of the code and data within the container from malicious software that has special permissions.
TEE: a Trusted Execution Environment (TEE) is an independent processing Environment with computing and storage functions that provides security and integrity protection. The basic idea is as follows: and (2) independently allocating an isolated memory for the sensitive data in the hardware, wherein all sensitive data calculation is carried out in the isolated memory, and other parts in the hardware cannot access the information in the isolated memory except for an authorized interface. The TEE is a secure area on the central processor that ensures that sensitive data is processed in an isolated and trusted environment. Compared with other secure execution environments, the TEE can protect integrity and confidentiality of ta (trusted application) end to end, and can provide stronger processing capacity and larger memory space.
The embodiment discloses a data security sharing system and method taking data as a center, aiming at the problems of various and complex data types, separated ownership management rights, poor cooperativity, imperfect privacy protection measures and the like in the current data management, and ensuring that the data can be shared and used in various application programs.
Example one
The embodiment provides a data security sharing system taking data as a center;
a data security sharing system taking data as a center is deployed in a multi-subchain layering parallel mode; the method comprises the following steps:
a data storage layer configured to: the organization management and the encryption storage of the data are realized;
a data distribution layer configured to: the data owner sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy, and releases data resources in a block chain;
a data control layer configured to: setting a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on a coalition chain; so as to realize user identity management, access control, data sharing transaction and full text retrieval of ciphertext data.
Further, the data store layer is configured to: format conversion and encrypted storage are carried out on the data so as to support the credible sharing of multi-service and multi-source data.
Further, the data store layer is configured to: formulating a data organization specification, organizing multi-source heterogeneous data into data with a uniform format according to the specification, and storing the data; the data storage supports various distributed storage systems and provides a common interface to the outside.
Illustratively, the plurality of distributed storage systems comprises: IPFS, minio, MogileFS.
Further, the data distribution layer is configured to: and issuing data resources by adopting a block chain, encrypting the data by the data owning terminal, and storing the ciphertext to the cloud server.
Further, as shown in fig. 4, the data distribution layer is configured to:
(1) the data owning end sets a data access control strategy for data to be issued aiming at four types of users (a data using end, a data access end, a data mining end and a data monitoring end); the data access end can successfully access the data only when the attribute of the data access end meets the access strategy set by the data owning end;
(2) the data issuing layer calls a symmetric key generation algorithm to generate a key, the data owning end has a unique key, and the data issuing layer calls a symmetric encryption algorithm to encrypt data to obtain encrypted data encryptdata; the data publishing layer calls a distributed storage algorithm to store the encrypted data encryptdata in a distributed network, and records a storage hash value hashipfs for accessing the encrypted data encryptdata;
(3) the data distribution layer calls an initialization function of the ciphertext strategy attribute-based encryption algorithm to generate a public key PK and a main key MK, and the encryption function of the ciphertext strategy attribute-based encryption algorithm is called according to the data owning terminal access strategy policy and the public key PK to encrypt the key to obtain a ciphertext encrypt key of the key and store the ciphertext encrypt key;
(4) the data distribution layer calls a hash function to perform hash calculation on data to be distributed by a data owner to obtain a data hash value hash file; and the data hash value hashfile is used for verifying the integrity of the data, and triggers the intelligent contract to issue the storage hash value hashfs, the access control policy and the data hash value hashfile in the block chain.
Further, the user identity sub-chain, the access control empowerment sub-chain, the data transaction sub-chain, the data retrieval sub-chain, the machine learning sub-chain and the data updating sub-chain are parallel sub-chains; the parallel subchains are respectively used for processing different services so as to improve the multi-service parallel trusted processing capability.
Further, the user identity subchain is configured to: recording identity information of a block chain user; the dynamic joining and exiting management system is used for realizing dynamic joining and exiting management of the alliance users, and allows the users to participate in a plurality of sub-chain transactions with different identities.
Further, the access control entitled child chain is configured to: the data access end can only successfully access the data when the attribute of the data access end meets the access control policy set by the data owning end.
Further, the access control entitled child chain is configured to: authorized access, data retrieval and key management are realized through the intelligent contract, and the intelligent contract has the characteristics of automatic execution and non-modification, namely, the contract program can not be tampered once being uploaded, so that the consistency and the synchronism of each node are ensured, the deception of each participant (a user, a retrieval node and a storage service provider) is avoided, and the safety and the reliability of the data access and retrieval process are ensured.
Further, as shown in fig. 5, the access control entitled subchain is configured to:
(1) after a data access terminal sends an access request to the access data to the blockchain, the blockchain returns a data hash value, a storage address and an attribute of an accessor;
(2) the access control empowerment sub-chain executes a keygen key generation algorithm of a ciphertext strategy attribute base encryption algorithm to generate a private key SK according to the public key PK, the private key MK and the visitor attribute;
(3) the access control empowerment sub-chain calls a query function ipfs-search of a distributed storage algorithm according to the stored hash value hashipfs, and acquires an access data ciphertext encrypt tdata from a distributed storage network;
(4) the access control empowerment sub-chain sends a request to the database to obtain a secret key ciphertext encrypt of the access data, and a decryption function of a ciphertext strategy attribute base encryption algorithm is called to decrypt the data ciphertext encrypt and obtain a decrypted secret key decrypt;
(5) the access control empowerment sub-chain calls a symmetric encryption algorithm to decrypt the data ciphertext encrypt by using a decryption key, so as to obtain a decrypted file encrypt data;
(6) and the access control empowerment sub-chain calls a hash function algorithm to perform hash calculation on decryptdata to obtain a hash value of the decryptdata, the hash value is compared with the hash value obtained from the block chain, and if the hash value is the same as the hash value obtained from the block chain, the access is successful, so that the confidentiality and the integrity of the data are guaranteed.
Further, the data transaction child chain is configured to: data transaction is realized, a data access terminal puts forward a data transaction requirement, a data access control strategy is obtained from an access control authority sub-chain, and data transaction right is confirmed according to the strategy; and after the right is confirmed to pass, re-encrypting the data according to the new data owning terminal information to generate key information and issuing the key information.
Further, the data transaction child chain is configured to:
(1) the data access end sends a transaction data request to the access control authorization sub-chain, and the access control authorization sub-chain returns access attributes;
(2) the data transaction sub-chain verifies the access attribute, and resets the data access authority policy after the verification is passed;
(3) the data transaction subchain calls a symmetric encryption algorithm to generate a key for an owner after data flow, and calls the symmetric encryption algorithm to encrypt data to obtain encrypted data encryptdata; calling a distributed storage algorithm to store the encrypted data encryptdata in a distributed network, and recording a hash value hashipfs for accessing the encrypted data encryptdata;
(4) the data transaction subchain calls a hash function to perform hash calculation on transaction data to obtain a data hash value hash file, and sends the hash value hash file, a stored hash value hashipfs and a policy to a block chain network to generate an intelligent contract;
(5) the data transaction subchain calls an initialization function of a ciphertext strategy attribute-based encryption algorithm to generate a public key PK and a main key MK, the public key PK and an access control strategy policy are used as input, and an encryption function of the ciphertext strategy attribute-based encryption algorithm is called to encrypt a key to obtain a ciphertext encrypt key of the key and store the ciphertext encrypt key.
Further, the data retrieval subchain and machine learning subchain are configured to: and downloading data required by machine learning or data retrieval to the downlink for processing by adopting a downlink-uplink cooperative mode, and performing uplink verification on an execution result, wherein a user can only obtain the result after the training of a machine learning model or the result after the data retrieval, but cannot obtain original data and process data, so that the execution efficiency of the service is improved.
It should be understood that aiming at the problem of large resource consumption in the data processing process, an efficient execution on-chain credible verification model under a complex business logic chain is provided, machine learning and data modeling are migrated to be executed under a chain with sufficient computing power, and on-chain contract logic is minimized.
Further, the machine-learned subchain is configured to: the business processing module provides learning training data, which only can obtain learning training results, but can not obtain original data and process data.
Further, as shown in fig. 6, the machine learning subchain is configured to:
(1) downloading required training data according to the requirements and the authority of the data access terminal and sending the required training data to a service processing module;
(2) establishing a trusted execution environment based on an SGX mechanism in a service processing module;
(3) the machine learning subchain decrypts the data, selects a machine learning algorithm according to the data type and requirements, and trains the machine learning algorithm to generate model parameters;
(4) the machine learning subchain encrypts the trained information and uploads the information to the machine learning subchain, and data verification is carried out to ensure the safe chaining of the data outside the chain;
(5) the block chain takes the model parameter of each training as a transaction, and when the model converges, the transaction is packed into a block;
(6) and calculating the income for the data provider according to the reward system, and recording the income into the block chain so as to promote the data supply enthusiasm of the data provider.
Further, the data retrieval child chain is configured to: and full-text retrieval of the ciphertext is realized.
Further, as shown in fig. 7, the data retrieval child chain is configured to:
(1) the data access end puts forward a retrieval requirement, firstly, the data owning end and the data using end exchange an external address (EOA), the data using end uses the public key of the data owning end to encrypt the public key and the query key words of the data using end, and then, the ciphertext is packaged into a transaction.
Inquiring recent transaction by a data owning terminal, decrypting encrypted data in the transaction, performing Keccak-256 hash operation on the extracted public key of a data using terminal, intercepting the last 20 bytes into a character string R1, matching R1 with a sending address Addr, if R1= Addr, indicating that the data using terminal requests authorization, encrypting and uploading a symmetric key to a cloud server by using the public key of the data using terminal by the data owning terminal, returning a hash index corresponding to a key ciphertext to the data owning terminal by the cloud server, generating a timestamp and signing the hash index, sending the encrypted symmetric key Enc (DOpk, key) to the data using terminal by generating transaction txkey, and finally recording the txkey in a block chain by using a node, wherein the data owning terminal and the data using terminal use the same symmetric key for encryption and decryption, the key can be replaced regularly, and the data owning terminal wants to revoke the access right of the data using terminal and is realized by replacing the key and generating a new key for transaction. The data using end checks the transaction in the nearest block chain, and checks whether the address is the data owning end, if so, the data using end decrypts the transaction by using the own private key to obtain authorization information (a symmetric secret key);
(2) the data owning end carries out identity verification on the data using end;
(3) after the data owning end successfully verifies, the symmetric key is encrypted by using the public key of the data using end and uploaded to a cloud server to obtain a hash index;
(4) the data owning terminal uploads the hash index to the block chain in a transaction form for the data using terminal to access the encrypted data;
(5) the data using end encrypts and uploads the key words and the symmetric key to the block chain by using a TEE public key for retrieval;
(6) and the TEE acquires the encrypted key words and the symmetric key from the block chain, performs retrieval operation after acquiring the ciphertext, and uploads the signature of the retrieval result to the block chain.
The supervision node is configured at the data control layer; the supervision node adopts multi-mode supervision to realize tracking, monitoring and management of each subordinate parallel sub-chain, records and monitors state information of the sub-chains, as shown in fig. 8, the upper one is guided by a data owning end, the lower one is guided by a supervisor, and the specific supervision flow of the supervision node is as follows:
(1) firstly, a data owner end formulates an access control strategy of data, and uploads the data to a multi-source block chain node by using attribute encryption data.
(2) Carrying out user validity authentication in the access control authorization sub-chain and verifying authority information;
(3) sensitive data is screened by fusing intelligent contracts of deep learning. Storing the data and the corresponding authority information into a plurality of cluster nodes;
(4) the data supervisor requests to access corresponding data and inquires the access authority of the user;
(5) the supervision node analyzes data stored in a plurality of storage nodes in the cloud server, and violation data are analyzed, so that a multi-source tracing effect is achieved;
(6) verifying whether the user identity authority information has the right to access the data through the access control authority sub-chain;
(7) if the user has the authority, the purpose of fine-grained supervision is achieved by decrypting the data through the attributes, and if the user does not have the authority, corresponding error information is returned.
Further, the data update subchain is used for deleting and modifying the data.
Further, the data update child chain is configured to:
the data owning terminal sends out a data access request and returns an access attribute;
verifying the access attribute, and updating data after the verification is passed;
and calling an encryption function of a symmetric encryption algorithm to encrypt the data to obtain encrypted data encryptdata. And calling a distributed storage algorithm to store the encryptdata in a distributed network, and recording a hash value hashipfs for accessing the ciphertext.
And calling a hash function to perform hash calculation on the updated data to obtain a data hash value hash file, and sending the hash value hash file, the stored hash value hashipfs and the policy to a block chain network to generate an intelligent contract.
As shown in fig. 9, the data deletion process is as follows: the data owning terminal sends out a data access request and returns an access attribute; inquiring a key ciphertext from a database; and verifying the access attribute, and deleting the key ciphertext after verification is passed, namely, the data cannot be accessed, so that the data can be deleted quickly.
The system combines a block chain, machine learning, SGX encryption, distributed storage and a transparent encryption algorithm to establish a management scheme oriented to a data full life cycle (organization, release, transmission, storage, access, sharing and circulation), realizes safe sharing and sharing of data, and provides theoretical and technical support for multi-party credible cooperation and multi-service efficient parallel processing.
The invention provides a novel data security sharing system and a novel data security sharing method taking data as a center, as shown in fig. 2, the data security sharing system is deployed in a docker in a micro-service mode, an application program interacts with a cloud through the data security sharing system, the data security sharing system performs unified and standard representation on the data and provides functions of access control, encrypted storage, charging/clearing, privacy calculation, ciphertext retrieval, supervision audit, source tracing and evidence obtaining and the like, and safe and reliable data sharing and sharing are achieved.
As shown in fig. 3, the users are divided into four types of users, namely, a data using end, a data accessing end, a data mining end and a data monitoring end, and the data processing flow is as follows:
carrying out uniform standard representation on various application data and forming metadata of each data;
the data owner defines access control attributes (including data access, modification, sharing, deletion, retrieval, transaction, authority for machine learning and the like) of the data block, encrypts and stores the uniformly and standardized data to the cloud server, and publishes information such as the attributes, storage links and the like of the data to the block chain;
judging whether a data access end has an access right to data or not through an intelligent contract for the issued data, and further realizing data circulation, data access, data deletion, data updating and efficient full-text retrieval of ciphertext data;
the system provides a data access mode only used for machine learning externally, a data miner accesses data according to self attributes in the access mode, the data miner trains the data to generate a model and returns model parameters by using a machine learning algorithm in a trusted execution environment, a data access end can only see results after the algorithm is executed, detailed data information cannot be seen, and the effect of 'available and invisible' is achieved; and the data monitoring end is used for carrying out safety monitoring and auditing on the state of the block chain, the user and the data.
Example two
The embodiment provides a data security sharing method taking data as a center;
a data-centric data security sharing method comprises the following steps:
the data storage layer realizes organization management and encrypted storage of data;
the data owner of the data distribution layer sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy and distributes data resources in a block chain;
the data control layer sets a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on the alliance chain; the method and the system realize user identity management, access control, data sharing transaction and full-text retrieval of ciphertext data.
The specific details of each step in the second embodiment are correspondingly consistent with those in the first embodiment, and are not described herein again.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (2)
1. A data security sharing system taking data as a center is characterized in that a plurality of subchains are deployed in a layered parallel mode; the method comprises the following steps:
a data storage layer configured to: the organization management and the encryption storage of the data are realized;
the data storage layer configured to: format conversion and encrypted storage are carried out on the data so as to support the credible sharing of multi-service and multi-source data; formulating a data organization specification, organizing multi-source heterogeneous data into data with a uniform format according to the specification, and storing the data; the data storage supports various distributed storage systems and provides a universal interface for the outside;
a data distribution layer configured to: the data owner sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy, and releases data resources in a block chain;
the data distribution layer configured to:
(1) the data owner terminal sets a data access control strategy for data to be issued aiming at four types of users, namely a data using terminal, a data access terminal, a data mining terminal and a data monitoring terminal; the data access end can successfully access the data only when the attribute of the data access end meets the access strategy set by the data owning end;
(2) the data issuing layer calls a symmetric key generation algorithm to generate a key, the data owning end has a unique key, and the data issuing layer calls a symmetric encryption algorithm to encrypt data to obtain encrypted data encryptdata; the data publishing layer calls a distributed storage algorithm to store the encrypted data encryptdata in a distributed network, and records a storage hash value hashipfs for accessing the encrypted data encryptdata;
(3) the data distribution layer calls an initialization function of the ciphertext strategy attribute-based encryption algorithm to generate a public key PK and a main key MK, and the encryption function of the ciphertext strategy attribute-based encryption algorithm is called according to the data owning terminal access strategy policy and the public key PK to encrypt the key to obtain a ciphertext encrypt key of the key and store the ciphertext encrypt key;
(4) the data distribution layer calls a hash function to perform hash calculation on data to be distributed by a data owner to obtain a data hash value hash file; the data hash value hashfile is used for verifying the integrity of data, and triggers the intelligent contract to issue the stored hash value hashsfs, the access control policy and the data hash value hashfile in the block chain;
a data control layer configured to: setting a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on a alliance chain; the user identity management, access control, data sharing transaction and full-text retrieval of ciphertext data are realized;
the access control entitled child chain configured to:
(1) after a data access terminal sends an access request to the access data to the blockchain, the blockchain returns a data hash value, a storage address and an attribute of an accessor;
(2) the access control empowerment sub-chain executes a keygen key generation algorithm of a ciphertext strategy attribute base encryption algorithm to generate a private key SK according to the public key PK, the master key MK and the visitor attribute;
(3) the access control empowerment sub-chain calls a query function ipfs-search of a distributed storage algorithm according to the stored hash value hashipfs, and acquires an access data ciphertext to a distributed storage network;
(4) the access control empowerment sub-chain sends a request to the database, obtains a key ciphertext encrypt of the access data, and calls a decryption function of a ciphertext strategy attribute base encryption algorithm to decrypt the data ciphertext encrypt to obtain a decryption key decrypt;
(5) the access control empowerment sub-chain calls a symmetric encryption algorithm to decrypt the data ciphertext encrypt by using a decryption key, so as to obtain a decrypted file encrypt data;
(6) the access control empowerment subchain calls a hash function algorithm to perform hash calculation on decryptdata to obtain a hash value of the decryptdata, the hash value is compared with the hash value obtained from the block chain, and if the hash value is the same as the hash value obtained from the block chain, the access is successful, so that the confidentiality and the integrity of the data are guaranteed;
the data transaction sub-chain configured to:
(1) the data access end sends a transaction data request to the access control authorization sub-chain, and the access control authorization sub-chain returns access attributes;
(2) the data transaction subchain verifies the access attribute, and resets the data access authority policy after the verification is passed;
(3) the data transaction subchain calls a symmetric encryption algorithm to generate a key for an owner after data flow, and calls the symmetric encryption algorithm to encrypt data to obtain encrypted data encryptdata; calling a distributed storage algorithm to store the encrypted data encryptdata in a distributed network, and recording a hash value hashipfs for accessing the encrypted data encryptdata;
(4) the data transaction subchain calls a hash function to perform hash calculation on transaction data to obtain a data hash value hash file, and sends the hash value hash file, a stored hash value hashipfs and a policy to a block chain network to generate an intelligent contract;
(5) the data transaction subchain calls an initialization function of a ciphertext strategy attribute-based encryption algorithm to generate a public key PK and a main key MK, the public key PK and an access control strategy policy are used as input, and an encryption function of the ciphertext strategy attribute-based encryption algorithm is called to encrypt a key to obtain a ciphertext encrypt key of the key and store the ciphertext encrypt key;
the machine learning subchain configured to:
(1) downloading required training data according to the requirements and the authority of the data access terminal and sending the required training data to a service processing module;
(2) establishing a trusted execution environment based on an SGX mechanism in a service processing module;
(3) the machine learning subchain decrypts the data, selects a machine learning algorithm according to the data type and requirements, and trains the machine learning algorithm to generate model parameters;
(4) the service processing module encrypts the trained information and uploads the information to the machine learning subchain, and data verification is carried out to ensure the safe uplink of the data outside the subchain;
(5) the block chain takes the model parameter of each training as a transaction, and when the model converges, the transaction is packed into a block;
(6) calculating earnings for the data providers according to a reward system, and recording the earnings into a block chain so as to promote the data supply enthusiasm of the data providers;
the data retrieval child chain configured to:
(1) the data access end puts forward a retrieval requirement, firstly, the data owning end and the data using end exchange external addresses, the data using end uses the public key of the data owning end to encrypt the public key of the data owning end and the query key words, and then, the ciphertext is packaged into a transaction;
(2) the data owning end carries out identity verification on the data using end;
(3) after the data owning terminal successfully verifies, the symmetric key is encrypted by using the public key of the data using terminal and uploaded to a cloud server to obtain a hash index;
(4) the data owning terminal uploads the hash index to the block chain in a transaction form for the data using terminal to access the encrypted data;
(5) the data using end encrypts and uploads the key words and the symmetric key to the block chain by using a TEE public key for retrieval;
(6) the TEE acquires encrypted keywords and a symmetric key from the block chain, performs retrieval operation after acquiring a ciphertext, and uploads a retrieval result to the block chain after signing;
the data update child chain configured to:
the data owning terminal sends out a data access request and returns an access attribute;
verifying the access attribute, and updating data after the verification is passed;
an encryption function of a symmetric encryption algorithm is called to encrypt data to obtain encrypted data encryptdata; calling a distributed storage algorithm to store encryptdata in a distributed network, and recording a hash value hashipfs for accessing the ciphertext;
the hash function is called to carry out hash calculation on the updated data to obtain a data hash value hashfile, and the hash value hashfile, a stored hash value hashifs and a strategy policy are sent to a block chain network to generate an intelligent contract;
the data control layer is also configured with a supervision node; the specific supervision flow of the supervision node is as follows:
(1) firstly, a data owner end formulates an access control strategy of data, and uploads the data to a multi-source block chain node by using attribute encryption data;
(2) carrying out user validity authentication in the access control authorization sub-chain and verifying authority information;
(3) screening sensitive data through an intelligent contract integrating deep learning; storing the data and the corresponding authority information into a plurality of cluster nodes;
(4) the data supervisor requests to access corresponding data and inquires the access authority of a user;
(5) the supervision node analyzes data stored in a plurality of storage nodes in the cloud server, and violation data are analyzed, so that a multi-source tracing effect is achieved;
(6) verifying whether the user identity authority information has the right to access the data through the access control authority sub-chain;
(7) if the user has the authority, the purpose of fine-grained supervision is achieved by decrypting the data through the attributes, and if the user does not have the authority, corresponding error information is returned.
2. A data-centric data security sharing method employing a data-centric data security sharing system according to claim 1, comprising:
the data storage layer realizes organization management and encrypted storage of data;
the data owner of the data distribution layer sets a data access control strategy according to the attribute of the data user, encrypts data by combining the data access control strategy and distributes data resources in a block chain;
the data control layer sets a user identity sub-chain, an access control empowerment sub-chain, a data transaction sub-chain, a data retrieval sub-chain, a machine learning sub-chain and a data updating sub-chain on the alliance chain; so as to realize user identity management, access control, data sharing transaction and full text retrieval of ciphertext data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210417866.7A CN114520747B (en) | 2022-04-21 | 2022-04-21 | Data security sharing system and method taking data as center |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210417866.7A CN114520747B (en) | 2022-04-21 | 2022-04-21 | Data security sharing system and method taking data as center |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114520747A CN114520747A (en) | 2022-05-20 |
| CN114520747B true CN114520747B (en) | 2022-08-30 |
Family
ID=81600395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210417866.7A Active CN114520747B (en) | 2022-04-21 | 2022-04-21 | Data security sharing system and method taking data as center |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114520747B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115442045B (en) * | 2022-06-20 | 2023-06-02 | 上海市大数据中心 | Government affair data access control method and system based on government affair alliance chain |
| CN115174126B (en) * | 2022-09-08 | 2022-12-09 | 山东省计算中心(国家超级计算济南中心) | Outsourcing data ciphertext searching method and system based on block chain and SGX |
| CN115733859A (en) * | 2022-11-08 | 2023-03-03 | 昆明理工大学 | IOT data credible collection and sharing method based on block chain and attribute encryption |
| CN116992494B (en) * | 2023-09-27 | 2023-12-08 | 四川启明芯智能科技有限公司 | Security protection method, equipment and medium for scenic spot data circulation |
Family Cites Families (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607469B (en) * | 2013-11-28 | 2017-05-17 | 东莞中国科学院云计算产业技术创新与育成中心 | Data sharing method of cloud platform for achieving distributed isomerous data sharing |
| US20160098723A1 (en) * | 2014-10-01 | 2016-04-07 | The Filing Cabinet, LLC | System and method for block-chain verification of goods |
| CN104394155B (en) * | 2014-11-27 | 2017-12-12 | 暨南大学 | It can verify that multi-user's cloud encryption keyword searching method of integrality and completeness |
| EP3622660B1 (en) * | 2017-05-12 | 2023-08-30 | Massachusetts Institute of Technology | Systems and methods for crowdsourcing, analyzing, and/or matching personal data |
| US20200090817A1 (en) * | 2018-04-30 | 2020-03-19 | Innoplexus Ag | System and method for secure drug discovery information processing |
| CN109189727B (en) * | 2018-09-14 | 2021-07-23 | 江西理工大学 | Block chain ciphertext cloud storage sharing method based on attribute proxy re-encryption |
| CN109766378A (en) * | 2018-12-26 | 2019-05-17 | 吕杨 | A kind of multi-source heterogeneous water conservancy hydrographic data shared system |
| CN110474893B (en) * | 2019-07-30 | 2021-10-08 | 同济大学 | Heterogeneous cross-trust domain secret data secure sharing method and system |
| CN110516965A (en) * | 2019-08-27 | 2019-11-29 | 北京工商大学 | The credible retrospect model of oil and foodstuffs full supply chain and construction method based on block chain |
| AU2021230365A1 (en) * | 2020-03-04 | 2022-10-20 | Rubidex, LLC | Cryptographic data entry blockchain data structure |
| CN111914269B (en) * | 2020-07-07 | 2024-02-02 | 华中科技大学 | Data security sharing method and system in blockchain and cloud storage environment |
| CN111835500B (en) * | 2020-07-08 | 2022-07-26 | 浙江工商大学 | Searchable encryption data secure sharing method based on homomorphic encryption and block chain |
| CN112836229B (en) * | 2021-02-10 | 2023-01-31 | 北京深安信息科技有限公司 | Trusted data access control scheme for attribute-based encryption and block chaining |
| CN113643040A (en) * | 2021-08-14 | 2021-11-12 | 深圳众享互联科技有限公司 | Cross-block-chain transaction verification method |
| CN113672954A (en) * | 2021-08-19 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Feature extraction method and device and electronic equipment |
| CN113761067B (en) * | 2021-09-10 | 2023-06-16 | 北京冲量在线科技有限公司 | De-centralized joint modeling system based on blockchain and trusted execution environment |
| CN113868708B (en) * | 2021-12-03 | 2022-03-08 | 北京邮电大学 | Double-chain architecture-based method and equipment for safely sharing monitorable data |
| CN114327803A (en) * | 2022-03-15 | 2022-04-12 | 北京百度网讯科技有限公司 | Method, apparatus, device and medium for accessing machine learning model by block chain |
-
2022
- 2022-04-21 CN CN202210417866.7A patent/CN114520747B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN114520747A (en) | 2022-05-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114520747B (en) | Data security sharing system and method taking data as center | |
| CN109559124B (en) | Cloud data security sharing method based on block chain | |
| LU101903B1 (en) | System and method for storing and accessing private data of Hyperledger Fabric blockchain | |
| CN113132103B (en) | Data cross-domain security sharing system and method | |
| US10735202B2 (en) | Anonymous consent and data sharing on a blockchain | |
| CN114513533B (en) | Classified and graded body-building health big data sharing system and method | |
| CN111797415A (en) | Block chain based data sharing method, electronic device and storage medium | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| Di Vimercati et al. | Encryption-based policy enforcement for cloud storage | |
| David et al. | Cloud Security Service for Identifying Unauthorized User Behaviour. | |
| Ren et al. | SILedger: A blockchain and ABE-based access control for applications in SDN-IoT networks | |
| CN112118221B (en) | Block chain-based privacy data sharing-oriented capability access control method | |
| CN112699399A (en) | Encryption database system, method and device for realizing encryption database system | |
| CN113420319A (en) | Data privacy protection method and system based on block chain and permission contract | |
| Ferretti et al. | Scalable architecture for multi-user encrypted SQL operations on cloud database services | |
| CN107302524B (en) | Ciphertext data sharing system under cloud computing environment | |
| Fugkeaw | Achieving privacy and security in multi-owner data outsourcing | |
| Gao et al. | Blockchain based secure IoT data sharing framework for SDN-enabled smart communities | |
| CN114021161A (en) | Safety management method based on industrial big data sharing service | |
| Wise et al. | Cloud docs: secure scalable document sharing on public clouds | |
| Jamal et al. | Reliable access control for mobile cloud computing (MCC) with cache-aware scheduling | |
| Dulal et al. | Building a secure mhealth data sharing infrastructure over ndn | |
| Liu et al. | DF-RBAC: dynamic and fine-grained role-based access control scheme with smart contract | |
| CN112347496A (en) | Fine-grained data security access control method and system | |
| Bingu et al. | A comprehensive review on security and privacy preservation in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |