CN114944949B - Data authorization method, system, device and storage medium based on block chain - Google Patents

Data authorization method, system, device and storage medium based on block chain Download PDF

Info

Publication number
CN114944949B
CN114944949B CN202210535037.9A CN202210535037A CN114944949B CN 114944949 B CN114944949 B CN 114944949B CN 202210535037 A CN202210535037 A CN 202210535037A CN 114944949 B CN114944949 B CN 114944949B
Authority
CN
China
Prior art keywords
data
authorization
hash value
permit
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210535037.9A
Other languages
Chinese (zh)
Other versions
CN114944949A (en
Inventor
尹浩
查聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202210535037.9A priority Critical patent/CN114944949B/en
Publication of CN114944949A publication Critical patent/CN114944949A/en
Application granted granted Critical
Publication of CN114944949B publication Critical patent/CN114944949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data authorization method, a system, a device and a storage medium based on a block chain, wherein the method comprises the following steps: the data authorization end generates an encrypted permit according to a target authorization object attribute group and the generated data authorization permit based on a preset mixed encryption algorithm, and links the encrypted permit for storage, the data use end acquires the encrypted permit and a first transaction hash value, and under the condition that decryption is passed, generates a data access permit according to a user identifier, a user signature and the data authorization permit, links the hash value of the data access permit for storage, and acquires a second transaction hash value, and sends the data access permit, the first transaction hash value and the second transaction hash value to a target data source, so that the target data source judges whether the data access permit meets a preset verification rule, and if so, the use permission of the data use end on the target data is opened. The invention improves the reliability of data privacy protection.

Description

Data authorization method, system, device and storage medium based on block chain
Technical Field
The present invention relates to the field of data authority management technologies, and in particular, to a block chain-based data authorization method, system, device, and storage medium.
Background
With the continuous development of block chain technology and big data technology, the demand for privacy protection reliability of data in the circulation process is increasing.
Compared with the traditional centralized authorization mechanism, the distributed authorization mechanism based on the block chain provided by the prior art depends on the decentralized characteristic of the block chain, and the problem of low data authorization efficiency caused by mutual independence of central nodes of the traditional centralized authorization mechanism is solved. However, due to the on-chain data of the blockchain, it is readable to the consensus node. Therefore, if the consensus node is attacked, the use right of the data can be obtained by reading the data authorization information on the consensus node, so that the stealing or tampering of the data is realized. Therefore, how to improve the reliability of data privacy protection in the data authorization process becomes an urgent problem to be solved.
Disclosure of Invention
Embodiments of the present invention provide a data authorization method, system, apparatus, and storage medium based on a block chain, so as to improve reliability of data privacy protection in a data authorization process. The specific technical scheme is as follows:
a method of data authorization based on a blockchain, the method comprising:
and the data authorization terminal generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
And the data authorization end generates an encryption permit according to a target authorization object attribute group and the data authorization permit based on a preset mixed encryption algorithm, and calls a preset chain link contract to execute chain link storage operation on the encryption permit.
And the data using end acquires the encrypted certificate and the first transaction hash value matched with the encrypted certificate, and decrypts the encrypted certificate by using a locally stored decryption key.
And under the condition that the decryption is passed, the data using end generates a data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and the decryption.
And the data using end calls a preset evidence storing contract, executes chain evidence storing operation on the hash value of the data access evidence and obtains a second transaction hash value.
And the data using end sends the data access permit, the first transaction hash value and the second transaction hash value to a target data source according to the target data source identifier.
And the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, opens the use permission of the data use end to the target data.
Optionally, the data authorization end generates a data authorization pass according to the hash value of the target data, the identifier of the authorizing party, the identifier of the target data source, the access control condition data, the revocation verification information, and the signature of the authorizing party, and includes:
and the data authorization end symmetrically encrypts spliced data according to a first random number by using a preset symmetric encryption algorithm to obtain first spliced data, wherein the spliced data is obtained by performing data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by the data authorization end. And performing data splicing on a second random number and the first spliced data to obtain second spliced data, and performing hash operation on the second spliced data by using a preset hash algorithm to obtain the revocation verification information.
And the data authorization terminal performs data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data and the revocation verification information to obtain third spliced data. And carrying out Hash operation on the third spliced data by utilizing the preset Hash algorithm to obtain a Hash value of the third spliced data. And generating the signature of the authorized party according to the hash value of the third spliced data by utilizing a first preset signature generation algorithm.
And the data authorization terminal generates the data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
Optionally, the preset hybrid encryption algorithm is composed of the preset symmetric encryption algorithm and a preset attribute encryption algorithm, and the data authorization end generates an encrypted pass certificate according to the target authorized object attribute group and the data authorization pass certificate based on the preset hybrid encryption algorithm, including:
and the data authorization terminal symmetrically encrypts the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by using the preset symmetric encryption algorithm to obtain the head data of the certificate of pass.
And the data authorization end determines a decryption key of the certificate passing header data as an access key, and generates an initial encryption certificate passing according to the access key, the certificate passing header data and the certificate passing verification data, wherein the certificate passing verification data comprises the revocation verification information and the signature of the authorization party.
And the data authorization end performs attribute encryption on the access key in the initial encryption pass by using the preset attribute encryption algorithm according to the target authorization object data set to obtain the encryption pass.
Optionally, the decryption key is a key generated by the data using end according to the attribute data of the data using end by using the preset attribute encryption algorithm.
Optionally, when the data using end passes the decryption, generating a data access pass according to the user identifier, the user signature, and the data authorization pass obtained by decryption, includes:
and the data using end performs data splicing on the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data and the revocation verification information in the data authorization permit to obtain fourth spliced data.
And the data using end performs hash operation on the fourth spliced data by using the preset hash algorithm to obtain a hash value of the fourth spliced data.
And the data using end generates the user signature according to the hash value of the fourth splicing data by using a second preset signature generation algorithm.
And the data using end generates the data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and decryption.
Optionally, the preset validation rule comprises a data access validation rule and a data access validation rule,
the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit and the first transaction hash value, if so, the use authority of the data use end to the target data is opened, and the method comprises the following steps:
and the target data source carries out the verification of the validity verification rule of the data access permit according to the data access permit: and judging whether the hash value of the target data in the data access permit is consistent with the calculated hash value of the target data locally stored in the target data source. And judging whether the identifier of the authorized party in the data access permit is consistent with the user identifier matched with the target data locally stored in the target data source. And judging whether the access control condition data in the data access permit meets a preset access control condition or not. And judging whether the data access permit is revoked according to the first transaction hash value in the data access permit. And carrying out signature verification operation on the signature of the authorization party and the signature of the using party in the data access permit, and judging whether a verification result meets a preset verification condition. If yes, the target data source judges the data access permit and meets the data access permit validity verification rule.
And the target data source carries out data access permit verification and verification rule verification according to the data access permit and the second transaction hash value: and the target data source calculates a calculation hash value of the data access permit by using the preset hash algorithm. And the target data source searches whether an uplink record of the data access permit exists on a block chain or not according to the second transaction hash value, and if so, acquires the hash value of the data access permit stored on the block chain according to the second transaction hash value. And the target data source judges whether the hash value of the data access permit is consistent with the calculated hash value. And the block chain is provided with the uplink record of the data access permit, and under the condition that the hash value of the data access permit is consistent with the calculated hash value, the target data source judges the data access permit and the first transaction hash value to meet the data access permit verification rule.
And opening the use authority of the target data by the data use end under the condition that the target data source judges that the data access permit meets the preset verification rule.
Optionally, when the plurality of data access certificates have different target data source identifiers, the data using end invokes a preset certificate storing contract, performs a chain certificate storing operation on the hash value of the data access certificate, and obtains a first transaction hash value, further including:
for each target data source identifier: and the data using end utilizes a preset aggregation algorithm to aggregate the hash values of the multiple data access certificates matched with the target data source identifier to obtain an initial root hash value matched with the target data source identifier.
And the data using end utilizes the preset aggregation algorithm to aggregate the initial root hash value group to obtain the root hash value, wherein the initial root hash value group comprises a plurality of initial root hash values matched with the identifiers of the target data sources.
And the data using end calls the preset evidence storing contract, executes chain storing evidence operation on the root hash value and obtains a third transaction hash value.
A blockchain based data authorization system, the system comprising:
the data authorization terminal generates a data authorization pass certificate according to the hash value of the target data, the identifier of an authorization party, the identifier of a target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
And the data authorization end generates an encryption permit according to a target authorization object attribute group and the data authorization permit based on a preset mixed encryption algorithm, and calls a preset chain-linking contract to execute chain-linking storage operation on the encryption permit.
And the data using end acquires the encrypted certificate and the first transaction hash value matched with the encrypted certificate, and decrypts the encrypted certificate by using a locally stored decryption key.
And under the condition that the decryption is passed, the data using end generates a data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and the decryption.
And the data using end calls a preset evidence storing contract, executes chain evidence storing operation on the hash value of the data access evidence and obtains a second transaction hash value.
And the data using end sends the data access permit, the first transaction hash value and the second transaction hash value to the target data source according to the target data source identifier.
And the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, opens the use permission of the data use end to the target data.
Optionally, the data authorization side is configured to:
and the data authorization end symmetrically encrypts spliced data according to a first random number by using a preset symmetric encryption algorithm to obtain first spliced data, wherein the spliced data is obtained by performing data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by the data authorization end. And performing data splicing on a second random number and the first spliced data to obtain second spliced data, and performing hash operation on the second spliced data by using a preset hash algorithm to obtain the revocation verification information.
And the data authorization terminal performs data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data and the revocation verification information to obtain third spliced data. And carrying out Hash operation on the third spliced data by utilizing the preset Hash algorithm to obtain a Hash value of the third spliced data. And generating the signature of the authorized party according to the hash value of the third spliced data by utilizing a first preset signature generation algorithm.
And the data authorization terminal generates the data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
Optionally, the data authorization end is further configured to:
and the data authorization terminal symmetrically encrypts the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by using the preset symmetric encryption algorithm to obtain the head data of the certificate of pass.
And the data authorization end determines a decryption key of the certificate passing header data as an access key, and generates an initial encryption certificate passing according to the access key, the certificate passing header data and the certificate passing verification data, wherein the certificate passing verification data comprises the revocation verification information and the signature of the authorization party.
And the data authorization end performs attribute encryption on the access key in the initial encryption pass by using the preset attribute encryption algorithm according to the target authorization object data set to obtain the encryption pass.
Optionally, the data using end is configured to:
and the data using end performs data splicing on the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data and the revocation verification information in the data authorization permit to obtain fourth spliced data.
And the data using end performs hash operation on the fourth spliced data by using the preset hash algorithm to obtain a hash value of the fourth spliced data.
And the data using end generates the user signature according to the hash value of the fourth splicing data by using a second preset signature generation algorithm.
And the data using end generates the data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and decryption.
Optionally, the target data source is configured to:
and the target data source carries out validity verification rules verification of the data access permit according to the data access permit: and judging whether the hash value of the target data in the data access permit is consistent with the calculated hash value of the target data locally stored in the target data source. And judging whether the identifier of the authorized party in the data access permit is consistent with the user identifier matched with the target data locally stored in the target data source. And judging whether the access control condition data in the data access permit meets a preset access control condition or not. And judging whether the data access permit is revoked according to the first transaction hash value in the data access permit. And carrying out signature verification operation on the signature of the authorization party and the signature of the using party in the data access permit, and judging whether a verification result meets a preset verification condition. If yes, the target data source judges the data access permit and meets the data access permit validity verification rule.
And the target data source carries out data access permit verification and verification rule verification according to the data access permit and the second transaction hash value: and the target data source calculates a calculation hash value of the data access permit by using the preset hash algorithm. And the target data source searches whether an uplink record of the data access permit exists on the block chain or not according to the second transaction hash value, and if so, acquires the hash value of the data access permit stored on the block chain according to the second transaction hash value. And the target data source judges whether the hash value of the data access permit is consistent with the calculated hash value. And the block chain is provided with the uplink record of the data access permit, and under the condition that the hash value of the data access permit is consistent with the calculated hash value, the target data source judges the data access permit and the first transaction hash value to meet the data access permit verification rule.
And opening the use authority of the target data by the data use end under the condition that the target data source judges that the data access permit meets the preset verification rule.
Optionally, the data using end is further configured to:
when the plurality of data access certificates have different target data source identifiers, for each target data source identifier: and the data using end utilizes a preset aggregation algorithm to aggregate the hash values of the multiple data access certificates matched with the target data source identifier to obtain an initial root hash value matched with the target data source identifier.
And the data using end utilizes the preset aggregation algorithm to aggregate the initial root hash value group to obtain the root hash value, wherein the initial root hash value group comprises a plurality of initial root hash values matched with the identifiers of the target data sources.
And the data using end calls the preset evidence storing contract, executes chain storing evidence operation on the root hash value and obtains a third transaction hash value.
An apparatus for data authorization based on a blockchain, the apparatus comprising:
a processor;
a memory for storing the processor-executable instructions.
Wherein the processor is configured to execute the instructions to implement the blockchain-based data authorization method according to any one of the above.
A computer readable storage medium having instructions which, when executed by a processor of a blockchain based data authorization apparatus, enable the blockchain based data authorization apparatus to perform a blockchain based data authorization method as in any one of the above.
The embodiment of the invention provides a data authorization method, a system, a device and a storage medium based on a block chain, which generate a data authorization pass certificate comprising a hash value of target data, an identifier of an authorized party, a source identifier of the target data, access control condition data, revocation verification information and a signature of the authorized party through various encryption algorithms. So that the data content in the data authorization voucher can be converted into a readable state only by a corresponding decryption algorithm. Meanwhile, the data authorization pass is encrypted through the target authorization object attribute group to generate an encryption pass, so that the encryption pass is unreadable to the consensus node after the uploading block chain. And the encrypted certificate can be decrypted only by the decryption key matched with the target authorized object attribute group. And finally, acquiring corresponding linked data and data authorization certification data according to the data access certification, the first transaction hash value and the second transaction hash value through a preset verification rule, and verifying the data access certification so as to reduce the risk of malicious tampering of the data access certification in the transmission process. Therefore, the invention improves the reliability of data privacy protection.
Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a block chain-based data authorization method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a default aggregation algorithm according to an alternative embodiment of the present invention;
fig. 3 is a signaling diagram of a block chain-based data authorization method according to another alternative embodiment of the present invention;
fig. 4 is a block diagram of a data authorization system based on a blockchain according to another alternative embodiment of the present invention;
fig. 5 is a block diagram of a data authorization apparatus based on a block chain according to another alternative embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a data authorization method based on a block chain, as shown in fig. 1, the data authorization method includes:
s101, the data authorization end generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
Optionally, in an optional embodiment of the present invention, the data authorization pass may be a rights voucher digitally existing to characterize the usage right of the target data.
Optionally, in another optional embodiment of the present invention, since the data authorization certificate is encrypted in step S102 shown in fig. 1, it needs to be uploaded to the block chain for storage. And because the data in the blockchain is readable to the consensus node. Therefore, the invention can improve the reliability of data privacy protection by performing hash operation on the target data and representing the content of the target data by using the hash value of the target data.
It should be noted that, in an actual application scenario, there are various generation manners of the data authorization certificate, for example: and performing data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party, and generating the data authorization certificate according to Object Notation grammar rules (JavaScript Object Notification, JSON). The present invention is not limited or described in detail herein.
Optionally, in another optional embodiment of the present invention, the identifier of the authority party may be an identifier for characterizing the identity of the data authority party and signing the signature. It should be noted that, in practical applications, there are various ways to acquire the identifier of the authorized party, for example: when a data authorization entity logs in a data authorization terminal for the first time, a public key is generated by an Elliptic cryptosystem (ECC), and the public key is determined as an identifier of an authorizer of the data authorization entity. According to the invention, through the identifier of the authorized party, the purpose of hiding privacy data such as gender, name, age and the like of the data authorized party can be realized, and the reliability of data privacy protection is improved.
Optionally, in another optional embodiment of the present invention, the target data source identifier may be a unique identifier of a server for characterizing storage of the target data.
Optionally, in another optional embodiment of the present invention, the access control condition data may be a field for limiting an authorization condition. By setting the access control debugging data, target data can be prevented from being abused, and therefore reliability of data privacy protection is improved. The specific data types of the access control condition data include, but are not limited to: authorization deadlines and target data accessibility times, etc.
Optionally, in another optional embodiment of the present invention, the revocation verification information may be a field used for revocation verification. The target data needs to be authorized by the data authorization entity to be acquired and used by the data authorization object. Therefore, when the data authorization entity no longer agrees that the target data is used, the content of the revocation authentication information can be modified through a revocation operation to revoke the usage right of the target data. Thereby improving the flexibility and reliability of data privacy protection.
Optionally, in another optional embodiment of the present invention, the authorizer signature may be a field for verifying whether the authorization of the target data is issued by the data authorizing entity. The signature of the authorized party is generated by encrypting through a preset algorithm. Therefore, after the data authorization certificate is encrypted and uploaded to the blockchain, the signature of the authorizer is still unreadable for the blockchain consensus node. Thereby improving the reliability of data privacy protection.
S102, the data authorization end generates an encryption permit according to the target authorization object attribute group and the data authorization permit based on a preset mixed encryption algorithm, and calls a preset chain link contract to execute chain link storage operation on the encryption permit.
The data authorization terminal may be an operating system deployed in a data authorizer and configured to generate a data authorization pass and an encryption pass.
Optionally, in an optional embodiment of the present invention, the target authorized object attribute set may be a data set including at least one feature data for defining an authorized object. It should be noted that, in practical application, the target authorized object attribute group may be generated based on a preset authorized object attribute set according to a practical application scenario. For example, in a medical application scenario, the data types in the target object attribute group may include hospital level data, department type data, medical direction data, and the like.
Optionally, in another optional embodiment of the present invention, the uplink contract may be a contract constructed based on an intelligent contract, and configured to write the encrypted certificate as additional information into the uplink storage event, so as to perform persistent storage of the encrypted certificate at a set location of the blockchain. The Smart contract (Smart contract) described above is a computer protocol intended to propagate, verify or execute contracts in an informative manner. Because smart contracts allow trusted transactions to be conducted without third parties, these transactions are traceable and irreversible. Therefore, the invention can prevent the encrypted certification data from being falsified by the malicious network attack by presetting the uplink contract, thereby improving the reliability of data privacy protection.
It should be noted that the specific construction method of the default uplink contract may be set according to the actual application scenario, and this is not limited and described in detail herein.
Optionally, in another optional embodiment of the present invention, the preset hybrid encryption algorithm may be an encryption algorithm constructed based on multiple encryption manners. The data authorization pass is generated according to the target authorization object attribute group and the data authorization pass by using a preset mixed encryption algorithm. Therefore, the data using end can realize the decryption of the encrypted pass certificate only when the attribute data of the data using end is matched with the data in the target authorization object attribute group. Meanwhile, the encrypted certificate is encrypted by the preset mixed encryption algorithm. After the encrypted certificate uplink is stored, the content of the encrypted certificate is unreadable by the blockchain consensus node. Therefore, compared with the prior art, the method and the device improve the reliability of data privacy protection.
S103, the data using end obtains the encrypted pass and a first transaction hash value matched with the encrypted pass, and decrypts the encrypted pass by using a locally stored decryption key.
The data using end may be an operating system deployed on a data using party and used for generating a data access permit.
The first transaction hash value may be an identifier for identifying the operation of the encrypted certificate uplink storage. The data type may include the block height for storing the encrypted certificate and the number of the uplink storage operation.
Optionally, in an optional embodiment of the present invention, the decryption key may be a key generated from attribute data stored in the data using end based on an attribute encryption algorithm. In an actual application scenario, if the attribute data stored at the data using end matches the data in the attribute group of the target authorized object in step S102 shown in fig. 1, and all the data are generated based on the same attribute encryption algorithm. The decryption key may enable decryption of the encrypted pass. If the decryption key does not satisfy any of the two conditions, the data using end cannot decrypt the encrypted certificate, so that the reliability of data privacy protection is improved.
And S104, under the condition that the decryption is passed, the data using end generates a data access permit according to the using party identifier, the using party signature and the data authorization permit obtained by the decryption.
And S105, the data using end calls a preset certificate storing contract, performs chain certificate storing operation on the hash value of the data access certificate, and obtains a second transaction hash value.
It should be noted that the specific construction method of the preset memory security contract may be set by itself according to the actual application scenario, and this is not limited and described in detail herein.
And S106, the data using end sends the data access permit, the first transaction hash value and the second transaction hash value to the target data source according to the target data source identifier.
The target data source may be a server for storing target data.
It should be noted that, in an actual application scenario, there are various implementations of step S106 shown in fig. 1, and an exemplary one here is:
and the data using end calls a communication port of the target data source according to the target data source identifier, and sends the data access permit, the first transaction hash value and the second transaction hash value to the target data source.
And S107, the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, the use permission of the data use end to the target data is opened.
Optionally, in an optional embodiment of the present invention, since the data access certificate is not encrypted after being generated. And the data access permit, the transmission of the first transaction hash value and the second transaction hash value are all realized through a communication port set by a target data source. Therefore, the data in the data access certificate is prevented from being maliciously tampered in the transmission process. According to the invention, through presetting the verification rule, the corresponding linked data and the data authorization certification data are obtained according to the data access certification, the first transaction hash value and the second transaction hash value, and the data access certification is verified according to the data access certification, the first transaction hash value and the second transaction hash value, so that the risk of malicious tampering is avoided, and the reliability of data privacy protection is improved.
The invention generates the data authorization pass certificate including the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorized party through various encryption algorithms. So that the data content in the data authorization voucher can be converted into a readable state only by a corresponding decryption algorithm. Meanwhile, the data authorization pass is encrypted through the target authorization object attribute group to generate an encryption pass, so that the encryption pass is unreadable to the consensus node after the uploading block chain. And the encrypted certificate can be decrypted only by the decryption key matched with the target authorized object attribute group. And finally, acquiring corresponding linked data and data authorization certification data according to the data access certification, the first transaction hash value and the second transaction hash value through a preset verification rule, and verifying the data access certification so as to reduce the risk of malicious tampering of the data access certification in the transmission process. Therefore, the invention improves the reliability of data privacy protection.
Optionally, the data authorization end generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information, and the signature of the authorization party, and includes:
and the data authorization end symmetrically encrypts spliced data according to the first random number by using a preset symmetric encryption algorithm to obtain first spliced data, wherein the spliced data is obtained by performing data splicing on the hash value, the identifier of the authorization party, the identifier of the target data source and the access control condition data of the target data by using the data authorization end. And performing data splicing on the second random number and the first spliced data to obtain second spliced data, and performing hash operation on the second spliced data by using a preset hash algorithm to obtain revocation verification information.
And the data authorization terminal performs data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data and the revocation verification information to obtain third spliced data. And performing hash operation on the third spliced data by using a preset hash algorithm to obtain a hash value of the third spliced data. And generating the signature of the authority party according to the hash value of the third spliced data by utilizing a first preset signature generation algorithm.
And the data authorization terminal generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
The preset symmetric encryption algorithm (symmetricalcryptography) has the characteristics of short key establishment time, good sensitivity, low memory requirement and the like. Therefore, under the condition of high concurrency or large data volume, the preset symmetric encryption algorithm is adopted for data encryption, and the overall efficiency of data authorization can be improved.
Wherein, the first random number and the second random number have different values.
It should be noted that, in an actual application scenario, specific types of the preset symmetric encryption algorithm, the preset hash algorithm, and the first preset signature generation algorithm may be set by themselves according to the actual application scenario, and the present invention is not limited and described herein.
Optionally, the preset hybrid encryption algorithm is composed of a preset symmetric encryption algorithm and a preset attribute encryption algorithm, and the data authorization end generates an encryption pass certificate according to the target authorization object attribute group and the data authorization pass certificate based on the preset hybrid encryption algorithm, including:
and the data authorization terminal symmetrically encrypts the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by using a preset symmetric encryption algorithm to obtain the data of the certification passing header.
And the data authorization terminal determines a decryption key of the pass-certificate head data as an access key, and generates an initial encryption pass-certificate according to the access key, the pass-certificate head data and the pass-certificate data, wherein the pass-certificate data comprises revocation verification information and an authorization party signature.
And the data authorization end performs attribute encryption on the access key in the initial encryption pass certificate by using a preset attribute encryption algorithm according to the target authorization object data set to obtain the encryption pass certificate.
Optionally, in an optional embodiment of the present invention, the preset attribute encryption algorithm may be an algorithm for encrypting according to attribute data of an authorized object. The type of the preset attribute encryption algorithm may include: key-Policy Attribute-Based Encryption (KP-ABE) and secret-Policy Attribute-Based Encryption (CP-ABE).
Optionally, in another optional embodiment of the present invention, the encrypted certificate consists of certificate-passing header data, certificate-passing verification data, and an access key. The verification-oriented header data and the access key are displayed in a ciphertext mode, and the verification-oriented verification data are displayed in a plaintext mode. Because the presentation forms of the verification data are all hash values, the risk of data leakage can not be generated even if the verification data are presented in a plaintext.
Optionally, in another optional embodiment of the present invention, the revocation verification information in the verification data is shown in clear text. Therefore, the data authority can revoke the data authorization certificate according to the second random number constituting the revocation verification information. The specific implementation process can be as follows:
and the data authorization end calls a preset revocation contract and searches the target encryption certificate stored on the block chain according to the first transaction hash value.
Because the certification verification data of the target encryption certification is a plaintext display, the common identification node storing the target encryption certification can read the revocation verification information in the certification verification data.
And the consensus node performs hash operation on a second random number sent by a preset revocation contract, and compares the operation result with the hash value of the second random number in the revocation verification information.
And under the condition of consistent comparison, the consensus node takes the revocation verification information and a second random number uploaded by a preset revocation contract as a mapping structure and writes the mapping structure into the block chain. So that the target data source can determine that the data authorization certificate is revoked according to the mapping structure and terminate the use right for developing the target data.
Optionally, the decryption key is a key generated by the data using end according to the attribute data of the data using end by using a preset attribute encryption algorithm.
Optionally, the data access permit is generated by the data using end according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and the decryption when the decryption is passed, and includes:
and the data use end performs data splicing on the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data and the revocation verification information in the data authorization certificate to obtain fourth spliced data.
And the data using end performs hash operation on the fourth splicing data by using a preset hash algorithm to obtain a hash value of the fourth splicing data.
And the data using end generates a user signature according to the hash value of the fourth splicing data by using a second preset signature generation algorithm.
And the data using end generates the data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and the decryption.
Optionally, in an optional embodiment of the present invention, the first preset signature generation algorithm and the second preset signature generation algorithm need to be signature generation algorithms for generating different keys.
Optionally, the preset validation rule is composed of a data access validation validity validation rule and a data access validation verification rule,
the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit and the first transaction hash value, if so, the use permission of the data use end to the target data is opened, and the method comprises the following steps:
and the target data source carries out data access certification validity verification rule verification according to the data access certification: and judging whether the hash value of the target data in the data access permit is consistent with the calculated hash value of the target data locally stored in the target data source. And judging whether the identifier of the authorized party in the data access permit is consistent with the user identifier matched with the target data locally stored in the target data source. And judging whether the access control condition data in the data access permit meets the preset access control condition. And judging whether the data access permit is revoked according to the first transaction hash value in the data access permit. And carrying out signature and signature verification operation on the signature of the authorization party and the signature of the using party in the data access certificate, and judging whether the signature verification result meets the preset signature verification condition. If the data access request is positive, the target data source judges data access pass, and the validity verification rule of the data access pass is met.
And the target data source carries out data access certification and storage certification verification rule verification according to the data access certification and the second transaction hash value: and the target data source calculates a calculated hash value of the data access permit by using a preset hash algorithm. And the target data source searches whether the block chain has the uplink record of the data access permit according to the second transaction hash value, and if so, acquires the hash value of the data access permit stored in the block chain according to the second transaction hash value. And the target data source judges whether the hash value of the data access permit is consistent with the calculated hash value. And under the condition that the block chain has the uplink record of the data access permit and the hash value of the data access permit is consistent with the calculated hash value, the target data source judges the data access permit and the first transaction hash value, and the data access permit and storage permit verification rule is met.
And opening the use authority of the data use end to the target data by the target data source under the condition that the data access permit is judged to meet the preset verification rule.
Optionally, in an optional embodiment of the present invention, the process of verifying the data access verification validity verification rule and the process of verifying the data access verification storage verification rule are performed. Can be carried out simultaneously or sequentially. The present invention does not impose any limitation on the execution order of the two verification processes.
It will be appreciated by those skilled in the art that the signature verification process described above can be implemented in a variety of ways, such as: and decrypting the signature of the authorized party and the signature of the user respectively through the decryption keys of the first preset signature generation algorithm and the second preset signature generation algorithm. And respectively obtaining third splicing data and fourth splicing data. And respectively carrying out hash operation on the third spliced data and the fourth spliced data by utilizing the preset hash algorithm. And comparing the two operation results with the hash value of the third spliced data and the hash value of the fourth spliced data obtained by decryption respectively. If the data access permit is consistent with the data access permit, the data access permit is proved to be sent by the data authorization end indeed, and the data access permit is not tampered. The present invention will not be described in detail.
Optionally, when the multiple data access certificates have different target data source identifiers, the data using end invokes a preset certificate storing contract, performs a chain certificate storing operation on the hash value of the data access certificate, and obtains a first transaction hash value, further including:
for each target data source identifier: and the data using end utilizes a preset aggregation algorithm to aggregate the hash values of the multiple data access certificates matched with the target data source identifier to obtain an initial root hash value matched with the target data source identifier.
And the data using end utilizes a preset aggregation algorithm to aggregate the initial root hash value group to obtain the root hash value, wherein the initial root hash value group comprises a plurality of initial root hash values matched with the target data source identifiers.
And the data using end calls a preset evidence storing contract, executes chain evidence storing operation on the root hash value and obtains a third transaction hash value.
Optionally, in an optional embodiment of the present invention, the hash value of each data access permit may be obtained by performing a hash operation on each data access permit by using a preset hash algorithm at the data using end.
Optionally, in another optional embodiment of the present invention, in an actual application scenario, the data using end may generate a large amount of data access certificates at one time. If the data access certificates are executed one by one, the uplink certificate storing operation is executed. The risk of reducing the operation efficiency of the block chain is easily generated, and the data authorization efficiency is further reduced. Therefore, the invention aggregates the plurality of data access certificates by introducing the preset aggregation algorithm. Therefore, the efficiency of data authorization under the working condition of high concurrent uplink is improved. Among them, there are various types of the predetermined aggregation algorithm, such as merkel tree (Merkle tree) aggregation algorithm. The specific implementation process can be as follows:
please refer to fig. 2. Suppose that the current data authorization end generates six data access certificates, which are respectively a, B, C, D, E and F. Wherein, the target data sources of A, B, C and D are the server 1. The target data source for E and F is server 2. The data authorization terminal calculates the hash value of each data access certificate by using a preset hash algorithm, and the hash value is as follows: hash (a), hash (B), hash (C), hash (D), hash (E), and hash (F).
As shown in fig. 2, the data authorization side performs pairwise aggregation on the hash values of the data access certificates belonging to the same target data source by using a preset aggregation algorithm. For convenience of description, hash (a) and hash (B) are aggregated, hash (C) and hash (D) are aggregated, and hash (E) and hash (F) are aggregated. Since hash (a) and hash (B) aggregate to generate hash (a | B), hash (C) and hash (D) aggregate to generate hash (C | D). Therefore, the hash (a | B) and the hash (C | D) need to be aggregated again.
A first initial root hash value hash (a | B | C | D), and a second initial root hash value hash (E | F) are obtained, respectively.
And the data authorization end aggregates the first initial root hash value hash (A | B | C | D) and the second initial root hash value hash (E | F) by using the preset aggregation algorithm again to obtain a root hash value hash (A | B | C | D | E | F). And calling a preset evidence contract, performing chain evidence storing operation on the root hash value Hash (A | B | C | D | E | F), and obtaining a third transaction hash value.
Optionally, in another optional embodiment of the present invention, when the server 2 needs to perform data access permit storage verification, the data access permit E, the data access permit F, the second initial root hash value hash (E | F), and the third transaction hash value sent by the data authorization side need to be obtained. And executes the data access pass-authentication and verification rule.
It should be noted that, in an actual application scenario, there are various implementations of the above block chain-based data authorization method as shown in fig. 1, and here, an example provides one:
please refer to fig. 3. A request for authorization to use the target data is generated.
Step S301, the data authorization terminal generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
And S302, the data authorization terminal encrypts the data authorization pass by using the target authorization object attribute group based on a preset mixed encryption algorithm to generate an encrypted pass.
Step S303, the data authorization side invokes a preset uplink contract to upload an encryption pass certificate to the block chain.
And S304, storing the encrypted pass certificate by the blockchain, and generating a first transaction hash value matched with the encrypted pass certificate.
Step S305, the data consumer downloads the encrypted certificate and the first transaction hash value from the blockchain.
And S306, the data using end decrypts the encrypted certificate by using the decryption key to obtain the data authorization certificate.
And step S307, the data using end generates a user signature according to the data authorization use pass, generates a data access pass according to the user signature, the user identifier and the data authorization pass, and calculates a hash value of the data access pass.
And step S308, the data using end calls a preset storage certification contract and uploads the hash value of the data access certification to the block chain.
Step S309, the blockchain stores the hash value of the data access certificate and generates a second transaction hash value matching the hash value of the data access certificate.
And step S310, the block chain sends a second transaction hash value to the data using end.
Step S311, the data using end invokes the target data source port according to the target data source identifier, and sends the data access certificate, the first transaction hash value, and the second transaction hash value to the target data source.
And S312, the target data source verifies the validity verification rule of the data access permit according to the data access permit and the first transaction hash value.
And step S313, the target data source verifies the data access permit, the verification of the data access permit and the second transaction hash value.
Step S314, the target data source judges whether the data access certification validity verification rule verification and the data access certification storage verification rule verification pass or not. If yes, step S315 is triggered, otherwise step S316 is triggered.
And step S315, developing the use permission of the target data by the target data source, and sending the target data to the data using end.
And step S316, ending the flow.
Optionally, step S301 shown in fig. 3 is an alternative embodiment of step S101 shown in fig. 1. The steps S302 to S304 shown in fig. 3 are alternative embodiments of the step S102 shown in fig. 1. Step S305 and step S306 shown in fig. 3 are alternative embodiments of step S103 shown in fig. 1. Step S307 shown in fig. 3 is an alternative embodiment of step S104 shown in fig. 1. Steps S308 to S310 shown in fig. 3 are alternative embodiments of step S105 shown in fig. 1. Step S311 shown in fig. 3 is an alternative embodiment of step S106 shown in fig. 1. The steps S312 to S316 shown in fig. 3 are alternative embodiments of the step S107 shown in fig. 1.
Correspondingly to the above method embodiment, the present invention further provides a data authorization system based on a block chain, as shown in fig. 4, the data authorization system based on a block chain includes:
the data authorization method comprises a data authorization end 401, a data using end 402 and a target data source 403, wherein the data authorization end 401 generates a data authorization pass according to a hash value of target data, an identifier of an authorization party, an identifier of the target data source, access control condition data, revocation verification information and a signature of the authorization party.
The data authorization terminal 401 generates an encryption permit according to the target authorization object attribute group and the data authorization permit based on a preset hybrid encryption algorithm, and invokes a preset chain link contract to execute chain link storage operation on the encryption permit, so as to obtain a first transaction hash value matched with the encryption permit.
The data consumer 402 obtains the encrypted certificate and the first transaction hash value matching the encrypted certificate, and decrypts the encrypted certificate with the locally stored decryption key.
When the decryption is passed, the data consumer 402 generates a data access permit according to the consumer identifier, the consumer signature, and the data authorization permit obtained by the decryption.
The data using end 402 calls a preset deposit-evidence contract, performs uplink deposit-evidence operation on the hash value of the data access evidence, and obtains a second transaction hash value.
The data consumer 402 sends the data access certificate, the first transaction hash value and the second transaction hash value to the target data source 403 according to the target data source identifier.
And the target data source 403 judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, opens the use permission of the target data by the data use end.
Optionally, the data authorization end 401 is configured to:
the data authorization end 401 symmetrically encrypts the spliced data according to the first random number by using a preset symmetric encryption algorithm to obtain first spliced data, wherein the spliced data is obtained by performing data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the source of the target data and the access control condition data by the data authorization end 401. And performing data splicing on the second random number and the first spliced data to obtain second spliced data, and performing hash operation on the second spliced data by using a preset hash algorithm to obtain revocation verification information.
The data authorization terminal 401 performs data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data and the revocation verification information to obtain third spliced data. And performing hash operation on the third spliced data by using a preset hash algorithm to obtain a hash value of the third spliced data. And generating the signature of the authorized party according to the hash value of the third spliced data by using a first preset signature generation algorithm.
The data authorization terminal 401 generates a data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information, and the signature of the authorization party.
Optionally, the data authorization side 401 is further configured to:
the data authorization terminal 401 symmetrically encrypts the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by using a preset symmetric encryption algorithm to obtain the data of the certification passing header.
The data authorization terminal 401 determines the decryption key of the certificate passing header data as an access key, and generates an initial encrypted certificate passing according to the access key, the certificate passing header data and the certificate passing data, wherein the certificate passing data includes revocation verification information and an authorization party signature.
And the data authorization terminal 401 performs attribute encryption on the access key in the initial encryption pass by using a preset attribute encryption algorithm according to the target authorization object data set to obtain an encryption pass.
Optionally, the data using end 402 is configured to:
the data using end 402 performs data splicing on the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data and the revocation verification information in the data authorization certificate, and obtains fourth spliced data.
The data using end 402 performs hash operation on the fourth splicing data by using a preset hash algorithm to obtain a hash value of the fourth splicing data.
The data using end 402 generates a user signature according to the hash value of the fourth concatenated data by using a second preset signature generation algorithm.
The data consumer 402 generates a data access permit according to the consumer identifier, the consumer signature and the data authorization permit obtained by decryption.
Optionally, the target data source 403 is configured to:
the target data source 403 performs data access certification validity verification rule verification according to the data access certification: it is determined whether the hash value of the target data in the data access certificate is consistent with the calculated hash value of the target data locally stored in the target data source 403. It is determined whether the authorizer identifier in the data access certificate is consistent with the user identifier matching the target data stored locally by the target data source 403. And judging whether the access control condition data in the data access permit meets the preset access control condition. And judging whether the data access permit is revoked according to the first transaction hash value in the data access permit. And carrying out signature and signature verification operation on the signature of the authorized party and the signature of the using party in the data access certificate, and judging whether the signature verification result meets the preset signature verification condition. If the data access validity is yes, the target data source 403 judges that the data access is approved and meets the data access approval validity verification rule.
The target data source 403 performs data access certification and storage certification rule verification according to the data access certification and the second transaction hash value: the target data source 403 calculates a calculated hash value of the data access certificate using a preset hash algorithm. The target data source 403 searches whether an uplink record of the data access permit exists on the block chain according to the second transaction hash value, and if so, acquires the hash value of the data access permit stored on the block chain according to the second transaction hash value. The target data source 403 determines whether the hash value of the data access certificate is consistent with the calculated hash value. In the case that there is an uplink record of the data access certificate on the block chain and the hash value of the data access certificate is consistent with the calculated hash value, the target data source 403 determines the data access certificate and the first transaction hash value, and satisfies the data access certificate verification rule.
And under the condition that the data access permit is judged to meet the preset verification rule, the target data source 403 opens the use authority of the data use end 402 on the target data.
Optionally, the data using end 402 is further configured to:
if the plurality of data access certificates have different target data source identifiers, for each target data source identifier: the data using end 402 aggregates the hash values of the multiple data access certificates matching with the target data source identifier by using a preset aggregation algorithm, and obtains an initial root hash value matching with the target data source identifier.
The data using end 402 aggregates the initial root hash value set by using a preset aggregation algorithm to obtain a root hash value, where the initial root hash value set includes a plurality of initial root hash values matched with the target data source identifiers.
The data using end 402 calls a preset evidence storing contract, performs the cochain evidence storing operation on the root hash value, and obtains a third transaction hash value.
An embodiment of the present invention further provides a data authorization apparatus based on a block chain, and as shown in fig. 5, the data authorization apparatus includes:
a processor 501;
a memory 502 for storing instructions executable by the processor 501.
Wherein the processor 501 is configured to execute instructions to implement the blockchain based data authorization method according to any one of the above.
Embodiments of the present invention also provide a computer-readable storage medium, where instructions in the computer-readable storage medium, when executed by a processor of a blockchain-based data authorization apparatus, enable the blockchain-based data authorization apparatus to perform any one of the above methods for blockchain-based data authorization.
The memory may include volatile memory in a computer readable medium, random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A method for data authorization based on block chains, the method comprising:
the data authorization end generates a data authorization pass certificate according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party;
the data authorization end generates an encryption permit according to a target authorization object attribute group and the data authorization permit based on a preset mixed encryption algorithm, and calls a preset chain link contract to execute chain link storage operation on the encryption permit;
when the attribute data of the data using end is matched with the data in the target authorization object attribute group, the data using end acquires the encrypted certificate and a first transaction hash value matched with the encrypted certificate, and decrypts the encrypted certificate by using a locally stored decryption key;
the data user generates a data access permit according to the user identifier, the user signature and the data authorization permit obtained by decryption under the condition that the decryption is passed;
the data using end calls a preset evidence storing contract, performs chain evidence storing operation on the hash value of the data access evidence and obtains a second transaction hash value;
the data using end sends the data access permit, the first transaction hash value and the second transaction hash value to a target data source according to the target data source identifier;
and the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, opens the use permission of the data use end to the target data.
2. The method of claim 1, wherein the data authorization side generates the data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party, and comprises:
the data authorization end symmetrically encrypts spliced data according to a first random number by using a preset symmetric encryption algorithm to obtain first spliced data, wherein the spliced data is obtained by performing data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by the data authorization end; performing data splicing on a second random number and the first spliced data to obtain second spliced data, and performing hash operation on the second spliced data by using a preset hash algorithm to obtain revocation verification information;
the data authorization terminal performs data splicing on the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data and the revocation verification information to obtain third spliced data; performing hash operation on the third spliced data by using the preset hash algorithm to obtain a hash value of the third spliced data; generating the signature of the authorized party according to the hash value of the third spliced data by using a first preset signature generation algorithm;
and the data authorization terminal generates the data authorization pass according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party.
3. The method according to claim 2, wherein the preset hybrid encryption algorithm is composed of the preset symmetric encryption algorithm and a preset attribute encryption algorithm, and the data authorization terminal generates an encryption pass certificate according to the target authorization object attribute group and the data authorization pass certificate based on the preset hybrid encryption algorithm, including:
the data authorization terminal symmetrically encrypts the hash value of the target data, the identifier of the authorization party, the identifier of the target data source and the access control condition data by using the preset symmetric encryption algorithm to obtain the certification-based header data;
the data authorization end determines a decryption key of the certificate passing header data as an access key, and generates an initial encryption certificate passing according to the access key, the certificate passing header data and the certificate passing data, wherein the certificate passing data comprises the revocation verification information and the signature of the authorization party;
and the data authorization end performs attribute encryption on the access key in the initial encryption pass by using the preset attribute encryption algorithm according to the target authorization object data set to obtain the encryption pass.
4. The method according to claim 3, wherein the decryption key is a key generated by the data consumer according to the attribute data of the data consumer by using the preset attribute encryption algorithm.
5. The method according to claim 2, wherein the data using end generates a data access permit according to the user identifier, the user signature and the data authorization permit obtained by decryption in case of passing decryption, comprising:
the data using end performs data splicing on the hash value of the target data, the identifier of the authorized party, the identifier of the target data source, the access control condition data and the revocation verification information in the data authorization permit to obtain fourth spliced data;
the data using end performs hash operation on the fourth splicing data by using the preset hash algorithm to obtain a hash value of the fourth splicing data;
the data using end generates the user signature according to the hash value of the fourth splicing data by using a second preset signature generation algorithm;
and the data using end generates the data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and decryption.
6. The method according to claim 5, wherein the preset validation rules are composed of a data access validation rule and a data access validation rule,
the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit and the first transaction hash value, if yes, the use authority of the data use end to the target data is opened, and the method comprises the following steps:
and the target data source carries out the verification of the validity verification rule of the data access permit according to the data access permit: judging whether the hash value of the target data in the data access permit is consistent with the calculated hash value of the target data locally stored in the target data source or not; judging whether the identifier of the authorized party in the data access permit is consistent with the user identifier matched with the target data locally stored in the target data source; judging whether the access control condition data in the data access permit meets a preset access control condition or not; judging whether the data access permit is revoked or not according to the first transaction hash value in the data access permit; carrying out signature verification operation on the signature of the authorizing party and the signature of the using party in the data access permit, and judging whether a verification result meets a preset verification condition; if so, the target data source judges the data access permit and meets the validity verification rule of the data access permit;
and the target data source carries out data access permit verification and verification rule verification according to the data access permit and the second transaction hash value: the target data source calculates a calculation hash value of the data access permit by using the preset hash algorithm; the target data source searches whether an uplink record of the data access permit exists on a block chain or not according to the second transaction hash value, and if so, obtains the hash value of the data access permit stored on the block chain according to the second transaction hash value; the target data source judges whether the hash value of the data access permit is consistent with the calculated hash value or not; under the condition that the block chain has the uplink record of the data access permit and the hash value of the data access permit is consistent with the calculated hash value, the target data source judges the data access permit and the first transaction hash value to meet the data access permit verification rule;
and opening the use authority of the target data by the data use end under the condition that the target data source judges that the data access permit meets the preset verification rule.
7. The method according to claim 1, wherein in a case where the target data source identifiers of the plurality of data access certificates are different, the data consumer invokes a preset certificate contract, performs a cochain certificate operation on the hash value of the data access certificate, and obtains a first transaction hash value, further comprising:
for each target data source identifier: the data using end utilizes a preset aggregation algorithm to aggregate the hash values of the multiple data access certificates matched with the target data source identifier to obtain an initial root hash value matched with the target data source identifier;
the data using end utilizes the preset aggregation algorithm to aggregate the initial root hash value group to obtain root hash values, wherein the initial root hash value group comprises a plurality of initial root hash values matched with the identifiers of the target data sources;
and the data using end calls the preset evidence storing contract, executes chain storing evidence operation on the root hash value and obtains a third transaction hash value.
8. A data authorization system based on blockchains, the system comprising:
a data authorization end, a data using end and a target data source,
the data authorization terminal generates a data authorization pass certificate according to the hash value of the target data, the identifier of the authorization party, the identifier of the target data source, the access control condition data, the revocation verification information and the signature of the authorization party;
the data authorization end generates an encryption permit according to a target authorization object attribute group and the data authorization permit based on a preset mixed encryption algorithm, and calls a preset chain link contract to execute chain link storage operation on the encryption permit;
when the attribute data of the data using end is matched with the data in the target authorization object attribute group, the data using end acquires the encrypted certificate and a first transaction hash value matched with the encrypted certificate, and decrypts the encrypted certificate by using a locally stored decryption key;
under the condition that the decryption is passed, the data using end generates a data access permit according to the data authorization permit obtained by the identifier of the using party, the signature of the using party and the decryption;
the data using end calls a preset evidence storing contract, performs chain evidence storing operation on the hash value of the data access evidence and obtains a second transaction hash value;
the data using end sends the data access permit, the first transaction hash value and the second transaction hash value to the target data source according to the target data source identifier;
and the target data source judges whether the data access permit meets a preset verification rule or not according to the data access permit, the first transaction hash value and the second transaction hash value, and if so, opens the use authority of the data use end to the target data.
9. An apparatus for data authorization based on block chains, the apparatus comprising:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the blockchain-based data authorization method of any one of claims 1 to 7.
10. A computer-readable storage medium, wherein instructions in the computer-readable storage medium, when executed by a processor of a blockchain-based data authorization apparatus, enable the blockchain-based data authorization apparatus to perform the blockchain-based data authorization method according to any one of claims 1 to 7.
CN202210535037.9A 2022-05-17 2022-05-17 Data authorization method, system, device and storage medium based on block chain Active CN114944949B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210535037.9A CN114944949B (en) 2022-05-17 2022-05-17 Data authorization method, system, device and storage medium based on block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210535037.9A CN114944949B (en) 2022-05-17 2022-05-17 Data authorization method, system, device and storage medium based on block chain

Publications (2)

Publication Number Publication Date
CN114944949A CN114944949A (en) 2022-08-26
CN114944949B true CN114944949B (en) 2023-03-24

Family

ID=82908169

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210535037.9A Active CN114944949B (en) 2022-05-17 2022-05-17 Data authorization method, system, device and storage medium based on block chain

Country Status (1)

Country Link
CN (1) CN114944949B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109344647A (en) * 2018-09-12 2019-02-15 上海点融信息科技有限责任公司 For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment
CN109995791A (en) * 2019-04-11 2019-07-09 清华大学 A kind of data grant method and system
CN111737366A (en) * 2020-07-22 2020-10-02 百度在线网络技术(北京)有限公司 Private data processing method, device, equipment and storage medium of block chain
WO2022021009A1 (en) * 2020-07-27 2022-02-03 王李琰 Electronic certificate circulation management method and system based on blockchain, and blockchain platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11645632B2 (en) * 2020-05-26 2023-05-09 Derek Norman La Salle System and method for a decentralized portable information container supporting privacy protected digital information credentialing, remote administration, local validation, access control and remote instruction signaling utilizing blockchain distributed ledger and container wallet technologies

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109344647A (en) * 2018-09-12 2019-02-15 上海点融信息科技有限责任公司 For the access credentials generation method of block chain network, data access method, storage medium, calculate equipment
CN109995791A (en) * 2019-04-11 2019-07-09 清华大学 A kind of data grant method and system
CN111737366A (en) * 2020-07-22 2020-10-02 百度在线网络技术(北京)有限公司 Private data processing method, device, equipment and storage medium of block chain
WO2022021009A1 (en) * 2020-07-27 2022-02-03 王李琰 Electronic certificate circulation management method and system based on blockchain, and blockchain platform

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Block-Chain-Based Personal Data Hosting;N. Daveze et al,;《IEEE》;第21-25页 *
基于区块链技术的通证模型的设计与分析;巫光福等;《计算机科学》;第613-618页 *
基于比特币区块链的公共无线局域网接入控制隐私保护研究;牛玉坤等;《网络与信息安全学报》(第02期);第60-70页 *

Also Published As

Publication number Publication date
CN114944949A (en) 2022-08-26

Similar Documents

Publication Publication Date Title
CN110933108B (en) Data processing method and device based on block chain network, electronic equipment and storage medium
US20220391831A1 (en) Blockchain-Based Authentication And Authorization
EP3451579B1 (en) Multiple-phase rewritable blockchain
US11070542B2 (en) Systems and methods for certificate chain validation of secure elements
JP4593533B2 (en) System and method for updating keys used for public key cryptography
CN108768933B (en) Autonomous supervision digital identity authentication system on block chain platform
WO2020143318A1 (en) Data verification method and terminal device
CN113497709A (en) Trusted data source management method based on block chain, signature device and verification device
EP4092984A1 (en) Data processing method and apparatus, device and medium
CN115345618B (en) Block chain transaction verification method and system based on mixed quantum digital signature
CN113347008B (en) Loan information storage method adopting addition homomorphic encryption
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
CN115953244A (en) Transaction supervision method and device based on block chain, electronic equipment and storage medium
CN112702354B (en) Data resource sharing traceability method and device based on blockchain technology
US20240187256A1 (en) Systems and methods for enforcing cryptographically secure actions in public, non-permissioned blockchains using bifurcated self-executing programs comprising shared digital signature requirements
CN113326529A (en) Decentralized architecture unifying method based on trusted computing
CN100437422C (en) System and method for enciphering and protecting software using right
CN115883102B (en) Cross-domain identity authentication method and system based on identity credibility and electronic equipment
CN115409511B (en) Personal information protection system based on block chain
CN114944949B (en) Data authorization method, system, device and storage medium based on block chain
Chen et al. How to bind a TPM’s attestation keys with its endorsement key
CN111046441B (en) Management method, equipment and medium for encrypted hard disk key
CN113159774A (en) Monitorable zero-knowledge proof verification method and system in block chain
TWM585941U (en) Account data processing system
US20240241939A1 (en) Auditing secure enclaves

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant