[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114978771B - Data security sharing method and system based on blockchain technology - Google Patents

Data security sharing method and system based on blockchain technology Download PDF

Info

Publication number
CN114978771B
CN114978771B CN202210883132.8A CN202210883132A CN114978771B CN 114978771 B CN114978771 B CN 114978771B CN 202210883132 A CN202210883132 A CN 202210883132A CN 114978771 B CN114978771 B CN 114978771B
Authority
CN
China
Prior art keywords
data
consumer
token
data consumer
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210883132.8A
Other languages
Chinese (zh)
Other versions
CN114978771A (en
Inventor
赵殿君
杨俊苏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yunzhi Digital Security Technology Co ltd
Original Assignee
Chengdu Yunzhi Digital Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yunzhi Digital Security Technology Co ltd filed Critical Chengdu Yunzhi Digital Security Technology Co ltd
Priority to CN202210883132.8A priority Critical patent/CN114978771B/en
Publication of CN114978771A publication Critical patent/CN114978771A/en
Application granted granted Critical
Publication of CN114978771B publication Critical patent/CN114978771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the specification provides a data security sharing method and system based on a blockchain technology, which belong to the field of data sharing, wherein the system comprises: an identity management component for establishing at least one token corresponding to the data consumer based on at least one attribute of the data consumer, and for storing the token on the blockchain; the access control component is used for verifying the token of the data consumer based on the data access request of the data consumer, granting the access right of the data consumer after the token passes the token verification, providing the encrypted data to the data consumer based on the access right, and decrypting the encrypted data by the data consumer to obtain target data; the log and monitoring component is used for recording the data access request of the data consumer which grants access rights and also is used for recording the decryption operation of the data consumer on the encrypted data, and has the advantages of improving the identity verification efficiency and the data security in the data sharing.

Description

Data security sharing method and system based on blockchain technology
Technical Field
The present disclosure relates to the field of data sharing, and in particular, to a method and system for securely sharing data based on a blockchain technique.
Background
In a traditional data sharing process, a service provider employs an AAA client-server architecture and a Service Level Agreement (SLA), which is an agreement between the service provider and the user that defines terms and conditions of service provisioning and delivery, including security measures. Furthermore, using the SLA, the right to use the user data is granted to the service provider. In this architecture, each service provider runs its own identity management system that acts as both a credential provider and an identity provider. The service provider maintains in its data store a set of user authentication information, such as a user name, password, personal identification code, PIN (Personal Identification Number), OTP (One-time Password) and security questions based on previous answers of the user, in order to match it with the provided credentials when requested by the user.
In the AAA client-server architecture, user data will be saved to a central server, which is fully accessible to service providers using SLAs, who can monitor, track, leak and control the data. This results in user data vulnerability and fraud. Thus, although the data belongs to the user, it is ultimately controlled by the service provider, which is one of the key issues of data privacy and security. Furthermore, SLAs require service providers to ensure that the service is not down. Thus, to achieve this goal, the service provider must maintain the data center to ensure that the service is nearly 100% of the uptime. These data centers are expensive to maintain and operate because they require a significant amount of hardware for computing, networking, storage, firewalls, and cooling systems with operations to ensure all-weather support for services. Also, in this architecture, the service provider may reject any person's identity or perform false authentication. At the same time, the increase in the number of online services based on this architecture leads to overload of identifiers and credentials that the user needs to manage and protect, which inevitably leads to the user forgetting or losing the passwords of the services that are not commonly used.
Therefore, it is desirable to provide a method and a system for securely sharing data based on a blockchain technology, which are used for improving the authentication efficiency and the security of the data in data sharing.
Disclosure of Invention
One of the embodiments of the present disclosure provides a data security sharing system based on a blockchain technique, including: an identity management component for establishing at least one token corresponding to a data consumer based on at least one attribute of the data consumer, and for storing the token on a blockchain; an access control component for verifying a token of the data consumer based on a data access request of the data consumer, and granting access rights to the data consumer after the token verification is passed, providing encrypted data to the data consumer based on the access rights, wherein the data consumer is used for decrypting the encrypted data to obtain target data; the log and monitoring component is used for recording the data access request of the data consumer which grants the access right and also used for recording the decryption operation of the data consumer on the encrypted data.
It can be appreciated that the data security sharing system based on the blockchain technology may at least include the following technical effects: 1. using blockchains for identity management, a federal identity management system based on chain codes/contracts to generate and store token-based identities, data consumers can select the attributes they want to use, generate tokens based on the attributes they choose, since these tokens contain attributes of the user, and when used in conjunction with any attribute-based access control model, can be used for user authentication or authorization, since the tokens are stored on the blockchain network, which also guarantees the integrity of the tokens, is very efficient in generating and retrieving tokens, even in the case of a large number of concurrent requests; 2. the access management uses a blockchain, utilizes the blockchain to realize safe sharing of data by an encryption method, does not need to trust any central entity to manage access to the encrypted data, and instead, the access control strategy is stored and calculated on the chain in a public way through a chain code. The block chain can ensure the transparency and the integrity of the access control strategy, and protect the strategy evaluation process; 3. reliable data sharing using Intel SGX, depending on the trusted decryption device implemented using Intel SGX, the data provider will keep a record of all authorized data access requests. Only those data consumers whose data access requests are recorded can decrypt the encrypted data using the decryption device; 4. using the software authentication function provided by SGX, it can be ensured that the device has not been tampered with and allow the data provider to verify the user's public key from the deployed device.
In some embodiments, the identity management component is further to: creating a key-value pair for each token, wherein a key in the key-value pair is an ID corresponding to the token, and a value in the key-value pair is a character string corresponding to the token; the key-value pairs are stored on the blockchain.
In some embodiments, the at least one attribute comprises a variable attribute and an invariable attribute; the data consumer modifies the variable attribute through the identity management component using a consumer public key.
In some embodiments, the identity management component includes a first key pair, wherein the first key pair is used to conduct encryption and verification of the token.
In some embodiments, the system further comprises: the data providing end is used for defining an access control strategy by a data provider and encrypting data provided by the data provider according to the access control strategy, wherein the access control strategy and the encrypted data provided by the data provider are stored on the blockchain; the data consumer is used for providing an interface for a data consumer user, and is also used for sending the data access request or receiving the encrypted data and decrypting the encrypted data.
In some embodiments, the access control component includes a second key pair that is used to encrypt and verify the access control policy.
In some embodiments, the data provider includes a third key pair for encrypting authentication data.
In some embodiments, the data consumer is further configured to: decrypting the encrypted data through decryption equipment, wherein the decryption equipment is realized by adopting an Intel SGX technology; the decryption device verifies the decryption request by the data consumer with a fourth key.
In some embodiments, the log and monitor component is further configured to record additional information of the data access request, wherein the additional information includes at least a time, a source, target data, or an operation.
One of the embodiments of the present disclosure provides a method for securely sharing data based on a blockchain technique, the method including: establishing at least one token corresponding to a data consumer based on at least one attribute of the data consumer; verifying a token of the data consumer based on the data access request of the data consumer; granting access rights to the data consumer after the token passes verification; providing encrypted data to the data consumer based on the access rights; the data consumer decrypts the encrypted data to obtain target data; and recording a data access request of a data consumer which grants the access right and a decryption operation of the encrypted data by the data consumer.
Drawings
The present specification will be further elucidated by way of example embodiments, which will be described in detail by means of the accompanying drawings. The embodiments are not limiting, in which like numerals represent like structures, wherein:
FIG. 1 is a schematic diagram of a data security sharing system based on blockchain technology according to some embodiments of the present description;
FIG. 2 is an exemplary flow diagram of a method for secure sharing of data based on blockchain 140 technology in accordance with some embodiments of the present description;
in the figure, 110, an identity management component; 120. an access control component; 130. a log and monitoring component; 140. a blockchain.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present specification, the drawings that are required to be used in the description of the embodiments will be briefly described below. It is apparent that the drawings in the following description are only some examples or embodiments of the present specification, and it is possible for those of ordinary skill in the art to apply the present specification to other similar situations according to the drawings without inventive effort. Unless otherwise apparent from the context of the language or otherwise specified, like reference numerals in the figures refer to like structures or operations.
It will be appreciated that "system," "apparatus," "unit" and/or "module" as used herein is one method for distinguishing between different components, elements, parts, portions or assemblies at different levels. However, if other words can achieve the same purpose, the words can be replaced by other expressions.
As used in this specification and the claims, the terms "a," "an," "the," and/or "the" are not specific to a singular, but may include a plurality, unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that the steps and elements are explicitly identified, and they do not constitute an exclusive list, as other steps or elements may be included in a method or apparatus.
A flowchart is used in this specification to describe the operations performed by the system according to embodiments of the present specification. It should be appreciated that the preceding or following operations are not necessarily performed in order precisely. Rather, the steps may be processed in reverse order or simultaneously. Also, other operations may be added to or removed from these processes.
FIG. 1 is a schematic diagram of a data security sharing system based on blockchain 140 technology according to some embodiments of the present description. As shown in FIG. 1, a data security sharing system based on blockchain 140 technology may include an identity management component 110, an access control component 120, a log and monitoring component 130, and a blockchain 140.
The identity management component 110 can be operative to establish at least one token corresponding to the data consumer based on at least one attribute of the data consumer and also operative to store the token on the blockchain 140.
Identity management component 110 can include chain code and/or contracts that reside on blockchain 140.
Attributes are personal information typically used to distinguish one person from others, and may include, but are not limited to, name, date of birth, certificate ID (e.g., identification card number), email, address, biometric information, etc., where biometric information may include information of a face, fingerprint, pupil, etc. In some embodiments, the at least one attribute corresponding to the token includes a variable attribute and an invariable attribute, wherein the variable attribute refers to an attribute that can be changed, for example, a name, an email, an address, etc., and the invariable attribute refers to an attribute that can not be changed, for example, a credential ID, biometric information, etc.
In some embodiments, one data consumer may apply for multiple tokens, and the combination of attributes corresponding to each token may be different. For example, the first token applied by the data consumer 1 includes a name and a credential ID, and the second token applied by the data consumer 1 includes an email and a face.
In some embodiments, the identity management component 110 may include a blockchain 140 contract for storing tokens on the blockchain 140. When a data provider attempts to authenticate a data consumer, the data consumer must be able to verify whether the token involved is valid.
In some embodiments, the identity management component 110 is further configured to create a key-value pair for each token, where a key in the key-value pair is an ID corresponding to the token and a value in the key-value pair is a string corresponding to the token. The identity management component 110 stores key-value pairs on the blockchain 140. Specifically, the tokens are JSON objects, so that the tokens can be converted into strings, the token ID is a unique value assigned to each token, the token ID can be a random value, and the token ID is used for referencing, retrieving or updating the token itself instead of the hash corresponding to the token, since any change in the token (e.g., updating the fields of the attributes) will generate an entirely new hash. The attribute corresponding to the token can be queried through the token ID.
In some embodiments, the identity management component 110 may link the token with the data consumer using the consumer public key of the data consumer as the Nym value.
In some embodiments, the data consumer uses the consumer public key to modify the variable attribute through the identity management component 110. In particular, the identity management component 110 may first verify the Nym value in the request and then update the attributes of the corresponding token.
In some embodiments, the identity management component 110 includes a first key pair (V KIdMgr and SKIdMgr) that is used to encrypt and verify the token.
The data consumer may prove to the data provider that they have access to a particular piece of data using the authenticated token.
The access control component 120 can be configured to authenticate a token of a data consumer based on a data access request of the data consumer, and grant access rights to the data consumer after the token passes authentication, provide encrypted data to the data consumer based on the access rights, and the data consumer can be configured to decrypt the encrypted data to obtain target data.
The access control component 120 (Access Control Manager, ACM) can be used to store and evaluate access control policies on the blockchain 140. After being authorized, the access control component 120 processes the data consumer's data access request and provides the encrypted data to the data consumer. The access control component 120 can include chain code and/or contracts that reside on the blockchain 140.
In some embodiments, the data security sharing system based on the blockchain 140 technology may further include a data provider (Data Provider Application) for defining the access control policy by the data provider and for encrypting the data provided by the data provider according to the access control policy, wherein the access control policy and the encrypted data provided by the data provider are stored on the blockchain 140. The data provider may be used to maintain in-chain storage (local), store personal data in encrypted format using symmetric passwords, and allow data to be deleted from the system with the data owner withdrawing consent. The data security sharing system based on blockchain 140 technology allows data providers (i.e., organizations acting as data controllers) to share personal data at different levels of authority and granularity while adhering to the transparency and accountability principles of GDPR (General Data Protection Regulation).
In some embodiments, the data provider may include a third key pair (vkdp and SKDP) that is used to encrypt and decrypt data.
In some embodiments, the data secure sharing system based on blockchain 140 technology may also include a data consumer (Data Consumer Application) for providing an interface for data consumer users, and for sending data access requests or receiving encrypted data and decrypting the encrypted data. An application providing an interface for a data consumer user to communicate with other entities (data providers) requests access to data. Each data consumer is given a consumer key pair (V KDC and SKDC) for digital signature schemes, EKDC and DKDC protect data based on asymmetric cryptographic schemes, each data consumer also needs to be given a unique identification DCnym of the data consumer that is used to associate data access requests with the data consumer. In some embodiments, DCnym may be a consumer public key of the data consumer.
In some embodiments, the data consumer may decrypt the encrypted data through a decryption device implemented using Intel SGX technology. The decryption device verifies the decryption request by the data consumer with the fourth key. In particular, each data consumer has a dedicated decryption device, in which the data consumer can be regarded as a relay for transmitting data to and from the decryption device. The device contains a trusted code that runs in a trusted space named "enclave" to reconstruct the key K and then perform decryption.
The log and monitor component 130 can be used to record data access requests of data consumers granted access rights, as well as to record decryption operations of encrypted data by the data consumers.
The log and monitoring component 130 can trusted store all access requests from authorized data consumers. The primary function of the logging and monitoring component 130 is to record the data access log after each encrypted data delivery to the data consumer, each data provider having to keep its own log.
The log and monitor component 130 should meet the following requirements: 1. each authorized access to the data should be recorded correctly and automatically; 2. data decryption (actual data access) can only be recorded after an access request; 3. the log should contain additional information for the data access request, wherein the additional information may include at least time, source, target data, or operation; 4. the log file itself must be secure (tamper-resistant) against illegal insertion, deletion and malicious modification.
In some embodiments, the data security sharing system based on blockchain 140 technology runs a security log protocol on a trusted execution environment (i.e., intel SGX), which is employed by Ryan (2017), which detects how data is processed, by whom, and what is the purpose. The integrity of the data decryption process is guaranteed by Intel SGX, while the integrity of the log is guaranteed by strong encryption. The log serves as a proof of obtaining authorized access to personal data and prevents internal threats. The record enables the data body and data controller to audit internal processes and monitor the system for improper access or disclosure of data, verify the legitimacy of any process, and ensure the integrity and security of personal data. The SGX uses the encrypted data and some public information to securely construct a decryption key each time data decryption is requested, rather than a single decryption key that is cached in the decryption device.
Blockchain 140 is used to store tokens, access control policies, and references to encrypted data.
The integrity of the data and computations stored on the blockchain 140 is ensured by a set of nodes called miners running a consensus protocol. Thus, the blockchain 140 infrastructure provides the required level of security and transparency to run the components of the blockchain 140 technology-based data security sharing system in a decentralized manner without relying on third party services. The blockchain 140 backend provides data and flow integrity and auditability for a data security sharing system based on blockchain 140 technology. In particular, a data security sharing system based on blockchain 140 technology uses blockchain 140 to ensure that identity attributes and access control policies of users are not modified by malicious users. Blockchain 140 also ensures the integrity of the policy evaluation process because all blockchain 140 operations are performed in a completely decentralized manner. One of the defining features of this technology is the accountability and traceability it provides. Policy and transparency of policy evaluation is one way for a data provider to display that they are in compliance with GDPR discipline and transparency principles.
In some embodiments, a data security sharing system based on blockchain 140 technology may include at least the following technical effects: 1. using blockchain 140 for identity management, a chain code/contract based federal identity management system to generate and store token-based identities, data consumers can select the attributes they want to use, generate tokens based on the data consumer selected attributes, since these tokens contain the user's attributes, when used in conjunction with any attribute-based access control model, it can be used for user authentication or authorization, since the tokens are stored on the blockchain 140 network, which also ensures the integrity of the tokens, is very efficient in generating and retrieving tokens, even in the case of a large number of concurrent requests; 2. access management uses a blockchain 140, with the blockchain 140, secure sharing of data is achieved by an encryption method without requiring any central entity to manage access to the encrypted data, rather, access control policies are stored and computed publicly on the chain through the chain code. The use of blockchain 140 can ensure the transparency and integrity of the access control policy, protecting the policy evaluation process; 3. reliable data sharing using Intel SGX, depending on the trusted decryption device implemented using Intel SGX, the data provider will keep a record of all authorized data access requests. Only those data consumers whose data access requests are recorded can decrypt the encrypted data using the decryption device; 4. using the software authentication function provided by SGX, it can be ensured that the device has not been tampered with and allow the data provider to verify the user's public key from the deployed device.
It should be noted that the above description of the data security sharing system and its modules based on the blockchain 140 technology is for convenience of description only and is not intended to limit the present description to the scope of the illustrated embodiments. It will be appreciated by those skilled in the art that, given the principles of the system, various modules may be combined arbitrarily or a subsystem may be constructed in connection with other modules without departing from such principles. Such variations are within the scope of the present description.
FIG. 2 is an exemplary flow diagram illustrating a method for secure sharing of data based on blockchain 140 technology in accordance with some embodiments of the present description. In some embodiments, the data security sharing method based on the blockchain 140 technology may be performed by a data security sharing system based on the blockchain 140 technology. As shown in fig. 2, the data security sharing method based on the blockchain 140 technology may include the following steps.
Step 210 establishes at least one token corresponding to the data consumer based on at least one attribute of the data consumer.
Step 220, verifying the token of the data consumer based on the data access request of the data consumer.
Step 230, granting access rights to the data consumer after the token passes verification.
Step 240 provides the encrypted data to the data consumer based on the access rights.
In step 250, the data consumer decrypts the encrypted data to obtain the target data.
Step 260, record the data access request of the data consumer granting access rights and the decryption operation of the encrypted data by the data consumer.
While the basic concepts have been described above, it will be apparent to those skilled in the art that the foregoing detailed disclosure is by way of example only and is not intended to be limiting. Although not explicitly described herein, various modifications, improvements, and adaptations to the present disclosure may occur to one skilled in the art. Such modifications, improvements and adaptations are suggested in this specification and are intended to be exemplary of such modifications, improvements and adaptations.
Meanwhile, the specification uses specific words to describe the embodiments of the specification. Reference to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic is associated with at least one embodiment of the present description. Thus, it should be emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various positions in this specification are not necessarily referring to the same embodiment. Furthermore, certain features, structures, or characteristics of one or more embodiments of the present description may be combined as suitable.
Furthermore, the order in which the elements and sequences are processed, the use of numerical letters, or other designations in the description are not intended to limit the order in which the processes and methods of the description are performed unless explicitly recited in the claims. While certain presently useful inventive embodiments have been discussed in the foregoing disclosure, by way of various examples, it is to be understood that such details are merely illustrative and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements included within the spirit and scope of the embodiments of the present disclosure. For example, while the system components described above may be implemented by hardware devices, they may also be implemented solely by software solutions, such as installing the described system on an existing server or mobile device.
Likewise, it should be noted that in order to simplify the presentation disclosed in this specification and thereby aid in understanding one or more inventive embodiments, various features are sometimes grouped together in a single embodiment, figure, or description thereof. This method of disclosure, however, is not intended to imply that more features than are presented in the claims are required for the present description. Indeed, less than all of the features of a single embodiment disclosed above.
Each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., referred to in this specification is incorporated herein by reference in its entirety. Except for application history documents that are inconsistent or conflicting with the content of this specification, documents that are currently or later attached to this specification in which the broadest scope of the claims to this specification is limited are also. It is noted that, if the description, definition, and/or use of a term in an attached material in this specification does not conform to or conflict with what is described in this specification, the description, definition, and/or use of the term in this specification controls.
Finally, it should be understood that the embodiments described in this specification are merely illustrative of the principles of the embodiments of this specification. Other variations are possible within the scope of this description. Thus, by way of example, and not limitation, alternative configurations of embodiments of the present specification may be considered as consistent with the teachings of the present specification. Accordingly, the embodiments of the present specification are not limited to only the embodiments explicitly described and depicted in the present specification.

Claims (7)

1. A blockchain technology-based data security sharing system, comprising:
an identity management component for establishing at least one token corresponding to a data consumer based on at least one attribute of the data consumer, and for storing the token on a blockchain;
the identity management component establishes at least one token corresponding to a data consumer based on at least one attribute of the data consumer, comprising:
establishing at least one token corresponding to the data consumer based on at least one variable attribute and at least one non-variable attribute of the data consumer, wherein the at least one variable attribute comprises a name, an email and an address, the at least one non-variable attribute comprises a certificate ID and biological characteristic information, and the combination of the corresponding attributes of any two tokens of the consumer is different;
the identity management component is further configured to: creating a key-value pair for each token, wherein a key in the key-value pair is an ID corresponding to the token, and a value in the key-value pair is a character string corresponding to the token; the key-value pairs are stored on the blockchain;
the identity management component is further configured to: using the data consumer's consumer public key as Nym value, linking the token with the data consumer;
the identity management component refers to, retrieves or updates the token based on the ID corresponding to the token;
the data consumer modifies the variable attribute through an identity management component using a consumer public key;
each data consumer has a dedicated decryption device comprising a trusted code that runs in a trusted space to reconstruct the key K and then perform decryption;
an access control component for verifying a token of the data consumer based on a data access request of the data consumer, and granting access rights to the data consumer after the token verification is passed, providing encrypted data to the data consumer based on the access rights, wherein the data consumer is used for decrypting the encrypted data to obtain target data;
the log and monitoring component is used for recording the data access request of the data consumer which grants the access right and also used for recording the decryption operation of the data consumer on the encrypted data.
2. The blockchain technology based data security sharing system of claim 1, wherein the identity management component includes a first key pair, wherein the first key pair is used to perform encryption and verification of the token.
3. The blockchain technology based data secure sharing system of claim 1, further comprising:
the data providing end is used for defining an access control strategy by a data provider and encrypting data provided by the data provider according to the access control strategy, wherein the access control strategy and the encrypted data provided by the data provider are stored on the blockchain;
the data consumer is used for providing an interface for a data consumer user, and is also used for sending the data access request or receiving the encrypted data and decrypting the encrypted data.
4. The blockchain technology based data security sharing system of claim 3, wherein the access control component includes a second key pair for encrypting and verifying the access control policy.
5. The blockchain technology based data secure sharing system of claim 1, wherein the data provider includes a third key pair for encrypting the authentication data.
6. The blockchain technology based data secure sharing system of any of claims 1-5, wherein the logging and monitoring component is further configured to record additional information of the data access request, wherein the additional information includes at least a time, a source, target data, or an operation.
7. A method for securely sharing data based on a blockchain technique, comprising:
establishing at least one token corresponding to a data consumer in advance based on at least one attribute of the data consumer;
wherein the pre-establishing at least one token corresponding to the data consumer based on at least one attribute of the data consumer comprises:
establishing at least one token corresponding to the data consumer based on at least one variable attribute and at least one non-variable attribute of the data consumer, wherein the at least one variable attribute comprises a name, an email and an address, the at least one non-variable attribute comprises a certificate ID and biological characteristic information, and the combination of the corresponding attributes of any two tokens of the consumer is different;
using the data consumer's consumer public key as Nym value, linking the token with the data consumer;
creating a key-value pair for each token, wherein a key in the key-value pair is an ID corresponding to the token, and a value in the key-value pair is a character string corresponding to the token; the key-value pairs are stored on the blockchain;
the data consumer uses the public key of the consumer to modify the variable attribute through an identity management component, and references, retrieves or updates the token based on the ID corresponding to the token;
receiving a data access request of a data consumer, and verifying a token of the data consumer based on the data access request of the data consumer;
granting access rights to the data consumer after the token passes verification;
providing encrypted data to the data consumer based on the access rights;
the data consumer decrypts the encrypted data to obtain target data;
recording a data access request of a data consumer which grants the access right and a decryption operation of the data consumer on the encrypted data;
the decryption operation of the encrypted data by the data consumer comprises the following steps:
the data consumer performs a decryption operation on the encrypted data by a decryption device comprising a trusted code that operates in a trusted space to reconstruct the key K and then performs decryption.
CN202210883132.8A 2022-07-26 2022-07-26 Data security sharing method and system based on blockchain technology Active CN114978771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210883132.8A CN114978771B (en) 2022-07-26 2022-07-26 Data security sharing method and system based on blockchain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210883132.8A CN114978771B (en) 2022-07-26 2022-07-26 Data security sharing method and system based on blockchain technology

Publications (2)

Publication Number Publication Date
CN114978771A CN114978771A (en) 2022-08-30
CN114978771B true CN114978771B (en) 2023-06-02

Family

ID=82968698

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210883132.8A Active CN114978771B (en) 2022-07-26 2022-07-26 Data security sharing method and system based on blockchain technology

Country Status (1)

Country Link
CN (1) CN114978771B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639687A (en) * 2016-09-14 2019-04-16 甲骨文国际公司 For providing system, method and the medium of identity based on cloud and access management
CN113761583A (en) * 2021-09-30 2021-12-07 西安理工大学 Attribute-based access control method on block chain

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108462568B (en) * 2018-02-11 2021-08-06 西安电子科技大学 Block chain-based secure file storage and sharing method and cloud storage system
KR102342021B1 (en) * 2019-11-25 2021-12-22 서강대학교 산학협력단 Attribute-based access control system in a blockchain network and method thereof
CN111901302B (en) * 2020-06-28 2022-02-25 石家庄铁道大学 Medical information attribute encryption access control method based on block chain
CN114513533B (en) * 2021-12-24 2023-06-27 北京理工大学 Classified and graded body-building health big data sharing system and method
CN114567639B (en) * 2022-03-03 2023-08-18 临沂大学 Lightweight access control system and method based on blockchain

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639687A (en) * 2016-09-14 2019-04-16 甲骨文国际公司 For providing system, method and the medium of identity based on cloud and access management
CN113761583A (en) * 2021-09-30 2021-12-07 西安理工大学 Attribute-based access control method on block chain

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Xiaodong Yang ; Ting Li ; Xizhen Pei ; Long Wen ; Caifen Wang.Medical Data Sharing Scheme Based on Attribute Cryptosystem and Blockchain Technology.IEEE.2020,第8卷第1-8页. *
应用区块链的数据访问控制与共享模型;王秀利;江晓舟;李洋;;软件学报(第06期);第91-99页 *

Also Published As

Publication number Publication date
CN114978771A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US11606352B2 (en) Time-based one time password (TOTP) for network authentication
US20210224411A1 (en) Integration of a block chain, managing group authority and access in an enterprise environment
US11711222B1 (en) Systems and methods for providing authentication to a plurality of devices
US10348706B2 (en) Assuring external accessibility for devices on a network
KR102318637B1 (en) Methods of data transmission, methods of controlling the use of data, and cryptographic devices
CN106888084B (en) Quantum fort machine system and authentication method thereof
US10771467B1 (en) External accessibility for computing devices
CN109361668A (en) A kind of data trusted transmission method
US10333930B2 (en) System and method for transparent multi-factor authentication and security posture checking
CN111914293B (en) Data access right verification method and device, computer equipment and storage medium
JP2018529299A (en) Biometric protocol standard system and method
Sauber et al. A new secure model for data protection over cloud computing
GB2598296A (en) Digital storage and data transport system
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
CN114978771B (en) Data security sharing method and system based on blockchain technology
JP2022162998A (en) Two-factor authentication to authenticate users in unconnected devices
CN108345801B (en) Ciphertext database-oriented middleware dynamic user authentication method and system
AU2017412654B2 (en) Assuring external accessibility for devices on a network
KR20050003587A (en) Secure system and method for controlling access thereof
CN117313144A (en) Sensitive data management method and device, storage medium and electronic equipment
Sauber et al. Research Article A New Secure Model for Data Protection over Cloud Computing
Kowalski CRYPTOBOX V2.
Galibus et al. Cloud Storage Security Architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant