Disclosure of Invention
The specification provides a data storage method based on a block chain, which is applied to pluggable equipment in butt joint with terminal equipment; the pluggable device is loaded with a secure operation environment; a private key corresponding to the pluggable device is stored in the secure operation environment; the method comprises the following steps:
acquiring a data abstract of target data acquired by the terminal equipment;
signing the data digest based on a private key corresponding to the pluggable device in the secure computing environment;
and issuing the signed data abstract to the block chain, verifying the signature of the data abstract by the node equipment in the block chain based on the public key corresponding to the private key, and storing the data abstract in the block chain after the signature verification is passed.
Optionally, obtaining a data summary of the target data collected by the terminal device includes:
receiving a data abstract of target data which is sent by the terminal equipment and collected by the terminal equipment; or receiving target data which is sent by the terminal equipment and collected by the terminal equipment, and locally calculating a data summary of the target data.
Optionally, signing the data digest based on a private key corresponding to the pluggable device in the secure computing environment includes:
acquiring identity information input by a user of the pluggable device;
performing identity authentication on the user based on the acquired identity information;
and if the identity authentication aiming at the user passes, signing the data abstract based on a private key corresponding to the pluggable device in the secure operation environment.
Optionally, a key generation algorithm is stored in the secure operating environment;
the method further comprises the following steps:
acquiring identity information input by a user of the pluggable device when the pluggable device is used for the first time;
performing identity authentication on the user based on the acquired identity information;
if the identity authentication aiming at the user passes, calling the secret key generation algorithm in the secure operation environment to generate the private key and the public key; and the number of the first and second groups,
and binding the generated private key with the identity information of the user, and storing the binding relationship in the secure operation environment.
Optionally, signing the data digest based on a private key corresponding to the pluggable device in the secure computing environment includes:
acquiring identity information input by a user of the pluggable device;
determining whether a private key bound with the identity information is stored in the secure computing environment;
and if so, signing the data digest based on a private key bound with the identity information in the secure operation environment.
Optionally, the issuing the signed data digest to the block chain includes:
publishing the signed data digest to the blockchain; or sending the signed data abstract to the terminal equipment so that the terminal equipment can issue the data abstract to the block chain.
Optionally, the terminal device includes a law enforcement recorder or a vehicle event data recorder; the target data includes one or more of video data, audio data, and image data.
Optionally, the pluggable device carries a USB interface; and the pluggable equipment is in hardware butt joint with the terminal equipment through the USB interface.
Optionally, the pluggable device carries an SE secure computing chip; the safe operation environment is established based on the SE safe calculation chip.
Optionally, the pluggable device carries an LED indicator light; the method further comprises the following steps:
controlling the LED indicator light to prompt the working state of the pluggable equipment to a user; wherein the operating state comprises an operating state in which operations are being performed in the secure computing environment; and, completing a working state of an operation in the secure operation environment.
The specification also provides a data evidence storing device based on the block chain, which is applied to pluggable equipment in butt joint with the terminal equipment; the pluggable device is loaded with a secure operation environment; a private key corresponding to the pluggable device is stored in the secure operation environment; the device comprises:
the acquisition module is used for acquiring a data abstract of the target data acquired by the terminal equipment;
the signature module is used for signing the data abstract in the secure operation environment based on a private key corresponding to the pluggable device;
and the issuing module issues the signed data abstract to the block chain, verifies the signature of the data abstract by the node equipment in the block chain based on the public key corresponding to the private key, and stores the data abstract in the block chain after the signature verification is passed.
Optionally, the obtaining module:
receiving a data abstract of target data which is sent by the terminal equipment and collected by the terminal equipment; or receiving target data which is sent by the terminal equipment and collected by the terminal equipment, and locally calculating a data summary of the target data.
Optionally, the signature module:
acquiring identity information input by a user of the pluggable device;
performing identity authentication on the user based on the acquired identity information;
and if the identity authentication aiming at the user passes, signing the data abstract based on a private key corresponding to the pluggable device in the secure operation environment.
Optionally, a key generation algorithm is stored in the secure operating environment;
the device further comprises:
the authentication module is used for acquiring identity information input by a user of the pluggable equipment when the pluggable equipment is used for the first time; performing identity authentication on the user based on the acquired identity information;
the generating module is used for calling the secret key generating algorithm to generate the private key and the public key in the safe operation environment if the identity authentication aiming at the user passes; and binding the generated private key with the identity information of the user, and storing the binding relationship in the secure operation environment.
Optionally, the signature module:
acquiring identity information input by a user of the pluggable device;
determining whether a private key bound with the identity information is stored in the secure computing environment;
and if so, signing the data digest based on a private key bound with the identity information in the secure operation environment.
Optionally, the publishing module:
publishing the signed data digest to the blockchain; or sending the signed data abstract to the terminal equipment so that the terminal equipment can issue the data abstract to the block chain.
Optionally, the terminal device includes a law enforcement recorder or a vehicle event data recorder; the target data includes one or more of video data, audio data, and image data.
Optionally, the pluggable device carries a USB interface; and the pluggable equipment is in hardware butt joint with the terminal equipment through the USB interface.
Optionally, the pluggable device carries an SE secure computing chip; the safe operation environment is established based on the SE safe calculation chip.
Optionally, the pluggable device carries an LED indicator light; the device further comprises:
the control module controls the LED indicator light to prompt the working state of the pluggable equipment to a user; wherein the operating state comprises an operating state in which operations are being performed in the secure computing environment; and, completing a working state of an operation in the secure operation environment.
This specification also proposes a pluggable device comprising:
a processor;
a memory for storing machine executable instructions;
wherein, by reading and executing machine-executable instructions stored by the memory corresponding to control logic for blockchain-based blockchain data attestation, the processor is caused to:
acquiring a data abstract of target data acquired by terminal equipment; the pluggable equipment is in butt joint with the terminal equipment; the pluggable equipment carries a safe operation environment; a private key corresponding to the pluggable device is stored in the secure operation environment;
signing the data digest based on a private key corresponding to the pluggable device in the secure computing environment;
and issuing the signed data abstract to the block chain, verifying the signature of the data abstract by the node equipment in the block chain based on the public key corresponding to the private key, and storing the data abstract in the block chain after the signature verification is passed.
In the above technical solution, on one hand, the pluggable device carries a secure operation environment, and a private key corresponding to the pluggable device is stored in the secure operation environment; therefore, the pluggable equipment and the terminal equipment are in hardware butt joint, so that a safe operation environment can be conveniently provided for the terminal equipment; the pluggable equipment can be used as general safety hardware and is in hardware butt joint with different terminal equipment, so that a safe operation environment is provided for the different terminal equipment; moreover, when the terminal device needs to store the acquired data on the block chain for evidence storage, the data acquired by the terminal device can be signed by using the stored private key in a secure operation environment carried on the pluggable device, and the signed data is issued to the block chain for data evidence storage, so that the data stored on the block chain can be prevented from being illegally tampered in the transmission process, and the data security during data storage on the block chain is ensured;
on the other hand, by improving the process of carrying out evidence storage on the block chain, the terminal equipment can store the evidence on the block chain without storing the original content of the acquired data on the block chain, but the data abstract of the original content of the acquired data is stored on the block chain, so that the terminal equipment can be used as a hub of a physical world and a world on the chain, and the acquired data can be more conveniently stored on the block chain; moreover, for a third party obtaining the data collected by the terminal equipment, the obtained data can be conveniently validated by matching the data abstract of the obtained data with the data abstract of the data stored on the block chain; therefore, the terminal equipment can submit the collected data to a third party as evidence, and the usability of the data collected by the terminal equipment can be remarkably improved.
Detailed Description
Since the data stored in the blockchain has the property of being not tampered, it is currently the main trend in the industry to store the data on the blockchain for data storage.
However, in practical applications, for some stream data; for example, data such as video streams and audio streams collected by a law enforcement recorder or a vehicle event data recorder; because the memory space occupied by the self-memory device is large, the self-memory device cannot be directly stored on the block chain for evidence storage.
However, in some scenarios, such stream data still has a strong evidence storage requirement; for example, in a scene of judicial evidence, a video stream collected by a law enforcement recorder or a vehicle event recorder may be submitted to a judicial department as evidence.
The validity of such streaming data as evidence often presents wide challenges due to the lack of data authentication means. Therefore, for such streaming data, the best way to process is to store the data on the blockchain for data local storage; meanwhile, the validity of the stored data as judicial evidence needs to be verified more conveniently.
Based on the above requirements, the present specification provides a technical scheme for building a secure operation environment for a terminal device by using pluggable devices, so as to conveniently store the data collected by the terminal device on a block chain.
During implementation, a safe operation environment can be set up on the pluggable equipment in advance, a private key corresponding to the pluggable equipment is stored in the safe operation environment, and the set up safe operation environment is provided for the terminal equipment by carrying out hardware butt joint on the pluggable equipment and the terminal equipment;
for example, a Secure Element (SE) Secure computing chip may be mounted on a pluggable device, a Secure budget environment may be established for the pluggable device, and a private key corresponding to the pluggable device may be stored in the Secure computing environment. Meanwhile, universal interfaces such as USB and the like can be reserved on the terminal equipment, so that pluggable equipment can be accessed into the terminal equipment through the universal interfaces, hardware butt joint with the terminal equipment is realized, and the constructed safe operation environment is provided for the terminal equipment.
Furthermore, after the terminal device collects data which needs to be stored in the block chain, the pluggable device can obtain a data abstract of the target data collected by the terminal device;
for example, the terminal device may calculate a data summary of the acquired target data, and then send the calculated data summary to the pluggable device; or, the terminal device may directly send the acquired target data to the pluggable device, and the pluggable device performs the summary calculation locally to obtain the data summary of the target data.
After the pluggable device acquires the data abstract of the target data collected by the terminal device, the pluggable device can sign the data abstract of the target data based on the stored private key in a secure operation environment carried by the pluggable device, and then the signed data abstract is issued to the block chain.
For example, the signed data digest may be published directly to the blockchain by the pluggable device; or, the pluggable device may also send the signed data digest to the terminal device, and the terminal device issues the signed data digest to the block chain.
After receiving the published signed data digest, the node device in the block chain may obtain a public key corresponding to the private key of the pluggable device, and then verify the signature of the data digest based on the public key; if the signature is verified, the data digest can be stored in the blockchain for data storage.
In the above technical solution, on one hand, the pluggable device carries a secure operation environment, and a private key corresponding to the pluggable device is stored in the secure operation environment; therefore, the pluggable equipment and the terminal equipment are in hardware butt joint, so that a safe operation environment can be conveniently provided for the terminal equipment; the pluggable equipment can be used as general safety hardware and is in hardware butt joint with different terminal equipment, so that a safe operation environment is provided for the different terminal equipment; moreover, when the terminal device needs to store the acquired data on the block chain for evidence storage, the data acquired by the terminal device can be signed by using the stored private key in a secure operation environment carried on the pluggable device, and the signed data is issued to the block chain for data evidence storage, so that the data stored on the block chain can be prevented from being illegally tampered in the transmission process, and the data security during data storage on the block chain is ensured;
on the other hand, by improving the process of carrying out evidence storage on the block chain, the terminal equipment can store the evidence on the block chain without storing the original content of the acquired data on the block chain, but the data abstract of the original content of the acquired data is stored on the block chain, so that the terminal equipment can be used as a hub of a physical world and a world on the chain, and the acquired data can be more conveniently stored on the block chain; moreover, for a third party obtaining the data collected by the terminal equipment, the obtained data can be conveniently validated by matching the data abstract of the obtained data with the data abstract of the data stored on the block chain; therefore, the terminal equipment can submit the collected data to a third party as evidence, and the usability of the data collected by the terminal equipment can be remarkably improved.
The present specification is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 1, fig. 1 is a block chain-based data authentication method applied to a pluggable device interfacing with a terminal device according to an embodiment of the present disclosure; the pluggable device is loaded with a safe operation environment; the secure operation environment stores a private key corresponding to the pluggable device; the method performs the steps of:
102, acquiring a data abstract of target data acquired by the terminal equipment;
104, signing the data abstract in the secure operation environment based on a private key corresponding to the pluggable device;
and 106, issuing the signed data abstract to the block chain, verifying the signature of the data abstract by the node equipment in the block chain based on the public key corresponding to the private key, and storing the data abstract in the block chain after the signature verification is passed.
The blockchain described in this specification may specifically include a private chain, a common chain, a federation chain, and the like, and is not particularly limited in this specification.
For example, in one scenario, the block chain may specifically be a federation chain formed by a server of a third party payment platform, an inside bank server, an outside bank server, and several user node devices as member devices. An operator of the federation chain can rely on the federation chain to deploy online services such as federation chain-based cross-border transfers, asset transfers, and the like online.
The terminal device may include any terminal device capable of being used as a node device to join a block chain and storing collected data on the block chain;
for example, in practical applications, the terminal device may specifically include a law enforcement recorder or a vehicle event recorder. The law enforcement recorder or the automobile data recorder can be used as a node to be added into the block chain, and collected stream data such as video data and audio data are stored on the block chain.
The data is stored in the blockchain, which means that the data is stored in the blockchain as an evidence in a persistent manner.
The target data comprises any type of data which is acquired by the terminal equipment and needs to be stored in a distributed database of the block chain;
for example, the target data may be specifically streaming data such as video data, audio data, image data, and the like collected by a terminal device such as a law enforcement recorder or a vehicle data recorder.
In this specification, a secure operation environment may be established for the terminal device, and a private key used for signing data that the terminal device needs to store a certificate on a block chain is stored and maintained by using the established secure operation environment.
When the method is implemented, a safe operation environment can be built on the pluggable equipment in advance, a private key corresponding to the pluggable equipment is stored in the safe operation environment, and the safe operation environment which is completed on the pluggable equipment is built in a butt joint mode of the pluggable equipment and the terminal equipment and is provided for the terminal equipment.
Through this kind of mode, can no longer need reform transform the hardware environment of terminal equipment, introduce new hardware in the hardware environment of terminal equipment and build safe operational environment for terminal equipment, but only need go on, dock but only need go on with plug equipment and terminal equipment, just can be convenient provide safe operational environment for terminal equipment, but make plug equipment can carry out the hardware butt joint as general hardware and different terminal equipment, provide safe operational environment for different terminal equipment.
The specific way of docking between the terminal device and the pluggable device is not particularly limited in this specification, and those skilled in the art can flexibly select the technical scheme in this specification when implementing the technical scheme in this specification;
in an implementation shown, the pluggable device may specifically implement hardware interfacing with the terminal device through a hardware interface provided on the terminal device.
Of course, in practical applications, in addition to the above-described pluggable device implementing hardware docking with the terminal device through the hardware interface provided by the terminal device, in practical applications, docking may also be implemented through a software interface;
for example, in an implementation manner, a bluetooth interface may also be provided on the terminal device, and the pluggable device may establish a bluetooth connection with the terminal device through the bluetooth interface on the terminal device to perform wireless data communication for docking.
The specific manner of establishing the secure computing environment in the hardware environment of the terminal device is not particularly limited in this specification.
In one embodiment shown, a Secure computing environment may be built for pluggable devices using an SE (Secure Element) based solution.
Under the solution, an SE secure computing chip can be introduced into the hardware environment of the pluggable equipment, and the secure operation environment is established by storing and maintaining the private key of the pluggable equipment by using the SE secure computing chip.
Referring to fig. 2, fig. 2 is a hardware structure diagram of a pluggable device shown in this specification.
As shown in fig. 2, the pluggable device may specifically include a housing, a PCB circuit board disposed inside the housing, and a USB interface, an SE safety calculation chip, and an LED indicator light mounted on the PCB circuit board.
The SE secure computing chip is electrically connected with the USB interface and used for providing a secure operation environment for the pluggable equipment and storing and maintaining a private key corresponding to the pluggable equipment.
The USB interface is electrically connected with the SE safety computing chip and is used for carrying out hardware butt joint with terminal equipment;
for example, referring to fig. 3 and 4, taking a terminal device as a portable recording device as an example, a USB socket may be provided on the portable recording device, a USB interface may be provided on the pluggable device, and a user may implement hardware docking with the portable recording device by inserting the USB interface on the pluggable device into the USB socket of the portable recording device.
It should be noted that, the USB interface described in this specification refers to one end of the USB device serving as a USB Slave; the USB socket described in this specification refers to one end of the USB device as a USB host.
The LED indicator light is electrically connected with the SE safety computing chip and used for prompting the current working state of the pluggable equipment to a user;
for example, in implementation, the processing capability of the SE secure computing chip itself may be utilized, some control logics for controlling the LED indicator to prompt the operating state of the pluggable device are implanted in the SE secure computing chip, and the SE secure computing chip executes the control logics to prompt the operating state of the pluggable device to the user.
In this specification, the working state of the pluggable device may specifically include a working state in which an operation is being executed in the secure operation environment; and a working state in which the operation is completed in the secure operation environment.
For example, in the secure computing environment, in the process of signing and processing target data acquired by a terminal device based on a private key stored in the secure computing environment, it may be referred to as a working state in which the pluggable device is executing operations in the secure computing environment; in the secure computing environment, after the signature processing of the target data acquired by the terminal device is completed based on the private key stored in the secure budget environment, the pluggable device may be referred to as a working state in which the pluggable device completes computing in the secure computing environment.
It should be noted that, a specific control logic for prompting the working state of the pluggable device to the user through the LED indicator light may be defined based on actual requirements when a person skilled in the art implements the technical solution of the present specification, and is not particularly limited in the present specification;
for example, in an implementation shown in the foregoing description, the control logic may specifically be that, in a process that the pluggable device executes an operation in a secure operation environment provided by the SE secure computing chip, the pluggable device may control the LED indicator light to be in a normally-on state to indicate that the pluggable device is in a working state of "being operated"; and after the pluggable equipment completes the operation in the safe operation environment provided by the SE safe calculation chip, the LED indicator light can be controlled to be in the off state to indicate that the pluggable equipment is in the working state of operation ending.
In another implementation shown, the control logic may specifically be that, in the process of executing operation in the secure operation environment provided by the SE secure computing chip, the pluggable device may control the LED indicator light to remain off to indicate that the pluggable device is in the operation state of "during operation"; and after the pluggable equipment completes the operation in the safe operation environment provided by the SE safe calculation chip, the LED indicator light can be controlled to flash for multiple times according to the preset frequency to indicate that the pluggable equipment is in the working state of operation ending.
Of course, in this specification, except for creating a secure operation environment for pluggable devices by introducing a SE secure computing chip into a hardware environment of the pluggable devices, it is obvious that in practical applications, a secure operation environment may be also created for the pluggable devices by other methods;
for example, in one embodiment shown, a secure computing Environment may be established for the terminal device using a solution based on TEE (Trusted Execution Environment). Under the solution, the software environment of the existing hardware (such as the existing main processing chip) in the hardware environment of the pluggable device can be modified (no additional secure computing chip needs to be introduced), a trusted execution environment is built in the software environment, and the secure operation environment is built by using the trusted execution environment to store and maintain the private key of the pluggable device.
For another example, in another illustrated embodiment, a secure computing environment may be built for the terminal device using a solution based on SE + TEE. Under this solution, the SE secure computing chip may be utilized to store and maintain the private key of the pluggable device, and the TEE may be utilized to provide a secure computing environment for the pluggable device.
In this specification, the pluggable device may be added to a blockchain (also referred to as a device uplink) as a node device, and a private key corresponding to the pluggable device is stored and maintained in a secure computing environment established for the pluggable device.
The private key corresponding to the pluggable device may be specifically a private key held by the pluggable device, or a private key held by a user of the pluggable device.
That is, the "private key corresponding to the pluggable device" described in this specification may be specifically a private key that is generated for the pluggable device by a device manufacturer of the pluggable device in the device production phase and is held by the pluggable device; or a private key autonomously generated by the pluggable device for the user and personally held by the user when the user uses the pluggable device.
In an embodiment shown, the private key and the public key held by the pluggable device may be generated by the device manufacturer for the pluggable device in the device production stage, and the private key is written into the secure computing environment of the pluggable device in advance by the device manufacturer for storage and maintenance.
In this case, the private key and the public key held by the pluggable device are not associated with the identity of the user using the pluggable device. The same private key written into the secure computing environment of the pluggable device by default by the device manufacturer may be shared by different users of the pluggable device.
In an embodiment shown, the private key and the public key held by the pluggable device may also be generated by the pluggable device for the user of the pluggable device, and the private key is written into the secure computing environment of the pluggable device by the pluggable device.
In this case, the private key and the public key that are generated by the pluggable device independently may be associated with the identity of the user of the pluggable device, and the pluggable device may generate a pair of private key and a pair of public key for different users based on the identity information of different users, respectively bind the generated private key and the identity information of each user, and then store and maintain the binding relationship in the secure operation environment.
For example, when implemented, the manufacturer of the pluggable device may write the key generation algorithm into the secure computing environment of the pluggable device in advance. When the user of the pluggable device uses the pluggable device, the pluggable device can prompt the user to input identity information for identity authentication; the data type of the identity information input by the user and the identity authentication mode adopted by the pluggable device are not particularly limited in this specification; for example, a conventional authentication method such as inputting a password or a password may be used, and an authentication method based on physiological characteristics such as a fingerprint or a human face may be used.
After the pluggable device acquires the identity information input by the user, whether a private key bound with the identity information is stored in a secure operation environment can be determined; if the private key bound with the identity information is not stored in the secure operation environment, the user is a new user who uses the pluggable device for the first time, and at the moment, the terminal device can perform identity authentication on the user based on the acquired identity information; if the user identity authentication is passed, the pluggable device can call the secret key generation algorithm in the secure operation environment to generate a pair of private key and public key, bind the generated private key and the identity information of the user, and then store and maintain the binding relationship in the secure operation environment. In this specification, a user can use a terminal device to collect data, and in a secure operation environment on the pluggable device, the data collected is signed based on a private key of the pluggable device, and then the data is issued to a block chain for data storage.
In this specification, when the terminal device stores the collected target data on the blockchain, the collected data may only need to be stored locally, and the data summary of the collected data may be stored on the blockchain, and the original content of the collected data does not need to be stored on the blockchain.
It should be noted that, in practical applications, if target data acquired by the terminal device is stream data such as video data and audio data, and when the stream data is stored in a blockchain, the terminal device may also perform fragmentation storage on the stream data according to a preset time period;
for example, taking video data as an example, the terminal device may take every N minutes of video data as a slice, calculate a data summary of the slice, store the data summary of the slice in the blockchain, and strictly ensure the temporal sequence of the data summary of each slice stored in the blockchain, so as to perform backtracking.
In this specification, when the terminal device stores the acquired target data on the blockchain, the pluggable device may obtain the data digest of the target data acquired by the terminal device, and perform signature processing on the data digest of the target data based on a private key held by the pluggable device in a secure operation environment.
The data summary of the target data collected by the terminal device may be calculated locally by the terminal device, or may be calculated locally by the pluggable device.
In an embodiment shown, when the terminal device stores the collected target data on the blockchain, the terminal device may locally calculate a data summary of the target data; for example, the data digest may specifically be a hash value of the target data calculated based on a specific hash algorithm; then, the terminal device can send the calculated data abstract of the target data to the butted pluggable device; the pluggable device can receive the data abstract of the target data sent by the terminal device and sign the data abstract of the target data based on a private key held by the pluggable device in a secure operation environment.
In an embodiment shown, when the terminal device stores the acquired target data on the blockchain, the terminal device may also send the original content of the acquired target data to the pluggable device; the pluggable device can receive the target data sent by the terminal device, locally calculate the data abstract of the received target data, and then sign the calculated data abstract of the target data based on a private key held by the pluggable device in a secure operation environment.
In one scenario, if the private key stored and maintained in the secure operation environment of the pluggable device is generated for the pluggable device by a device manufacturer in the device production stage, the private key is held by the pluggable device; under the condition, an identity authentication mechanism of a user using the pluggable device can be introduced to prompt the user to input identity information for identity authentication; after the pluggable device acquires the identity information input by the user, the identity authentication of the user can be carried out based on the acquired identity information; if the identity authentication for the user passes, the pluggable device can perform signature processing on the data digest in the secure computing environment based on a private key held by the pluggable device and stored and maintained in the secure computing environment. In another scenario, if the private key stored and maintained in the secure operation environment of the pluggable device is generated for the terminal device independently for the user, the private key held by the user is used; at this time, the binding relationship between the identity information of the user and the private key is prestored and maintained in the secure computing environment.
In this case, after the pluggable device obtains the identity information input by the user, the binding relationship maintained in the secure computing environment can be queried to determine whether the private key bound with the identity information is stored in the secure computing environment; if the private key bound to the identity information is stored in the secure operation environment, the pluggable device can perform signature processing on the data abstract based on the inquired private key in the secure operation environment.
Certainly, if the private key bound to the identity information is not stored in the secure computing environment, indicating that the user is a new user who uses the pluggable device for the first time, the pluggable device can perform identity authentication on the user based on the acquired identity information, and after the identity authentication is passed, call a key generation algorithm stored in the secure computing environment to generate a private key and a public key for the user, and use the generated private key to perform signature processing on the data digest; and binding the generated private key with the identity information of the user, and then storing and maintaining the binding relationship in a secure operation environment.
In this specification, when the pluggable device is in the secure operation environment, based on the private key stored in the secure operation environment, after signature processing is completed on the data digest of the target data acquired by the terminal device, the signed data digest may be issued in the block chain;
for example, a block chain Transaction (Transaction) may be constructed based on the signed data digest, and the Transaction may be broadcast and spread to other node devices.
The signed data abstract can be directly issued in the block chain by the pluggable equipment, or the signed data abstract can be sent to the terminal equipment by the pluggable equipment and then issued in the block chain by the terminal equipment.
After receiving the published signed data digest, the node device in the block chain can acquire a public key corresponding to a private key stored in a secure operation environment, and then verify the signature of the data digest based on the acquired public key; if the signature of the data digest is verified, the node device may initiate a consensus process for the data digest in the blockchain, and package the data digest into blocks for storage in the blockchain after the data digest consensus process is passed, so as to complete data storage for the data digest.
It should be noted that the consensus mechanism adopted by the block chain described in this specification is not particularly limited in this specification, and in practical applications, an operator of the block chain may flexibly select the consensus mechanism based on actual needs.
In another embodiment shown, when the terminal device stores the collected target data on the blockchain, the terminal device may also store the description data of the target data and the data abstract of the target data on the blockchain together.
In this case, in the secure operation environment of the pluggable device, when the data digest of the target data is signed based on the private key stored in the secure operation environment, the data digest and the description information of the target data may be integrally signed; the data abstract and the description information of the target data are packed and then signed as a whole; and then, the signed data abstract and the description data of the target data are issued to a block chain for data storage.
For example, a blockchain transaction may be constructed based on the signed data digest and the description data of the target data, and the transaction may be broadcast to other node devices.
Or, in another case, in the secure operation environment of the pluggable device, when the data digest of the target data is signed based on the private key stored in the secure operation environment, the data digest may be signed only; and then, the description data of the target data and the signed data abstract are issued to a block chain for data storage.
For example, a blockchain transaction may be constructed based on the description data of the target data and the signed data digest, and the transaction may be broadcast to other node devices.
Specific contents included in the description information of the target data are not particularly limited in this specification, and in practical applications, arbitrary contents related to the target data may be included;
in one embodiment shown, due to the time of acquisition of the data, the location of acquisition, and the objects to which the data relates, it is often the data that serves as an extremely important attribute of the evidence file; therefore, in this specification, the description information of the target data may specifically include one or a combination of more of the acquisition time, the acquisition place, and the object related to the target data.
In an embodiment shown, the time of acquiring the target data may specifically be an authority time (timestamp) after authentication, which is acquired from a time authentication center and interacted with the time authentication center when the terminal device acquires the target data. The target data collection place may be an accurate collection place obtained by calling a positioning module (such as a GPS module) carried by the terminal device in real time when the terminal device collects the target data. The object related to the target data may be a related object manually input by a legal user of the terminal device after the terminal device collects the target data.
For example, taking the forensic video data of a car accident event collected by the law enforcement recorder as an example, the description information of the video data may specifically include an authorized time acquired from a time authentication center at the time when the video data is collected, an accurate collection place acquired by the law enforcement recorder calling a positioning module in real time at the time when the video data is collected, and vehicle information, driver information and the like related to the video data input by law enforcement.
In the above technical solution, on one hand, the pluggable device carries a secure operation environment, and a private key corresponding to the pluggable device is stored in the secure operation environment; therefore, the pluggable equipment and the terminal equipment are in hardware butt joint, so that a safe operation environment can be conveniently provided for the terminal equipment; the pluggable equipment can be used as general safety hardware and is in hardware butt joint with different terminal equipment, so that a safe operation environment is provided for the different terminal equipment;
moreover, when the terminal device needs to store the acquired data on the block chain for evidence storage, the data acquired by the terminal device can be signed by using the stored private key in a secure operation environment carried on the pluggable device, and the signed data is issued to the block chain for data evidence storage, so that the data stored on the block chain can be prevented from being illegally tampered in the transmission process, and the data security during data storage on the block chain is ensured;
for example, a pluggable device may perform device chaining in advance, obtain a public and private key pair as an identity on the blockchain, and maintain and store the private key in the secure computing environment. When a user needs to store the data collected by one piece of equipment which is not subjected to chain loading on the block chain, the user can insert the USB interface on the pluggable equipment into the USB socket of the terminal equipment to realize hardware butt joint with the terminal equipment, and the safe operation environment of the pluggable equipment is provided for the terminal equipment, so that the terminal equipment is quickly transformed into the equipment which is subjected to chain loading, and the data storage on the block chain is completed. Furthermore, after the terminal device completes data storage, when a user needs to store data collected by other terminal devices on the block chain, the same operation can be executed, and hardware docking is performed on the terminal device and the pluggable device, so that the terminal device can be quickly transformed into a device which is already linked.
On the other hand, by improving the process of carrying out evidence storage on the block chain, the terminal equipment can store the evidence on the block chain without storing the original content of the acquired data on the block chain, but the data abstract of the original content of the acquired data is stored on the block chain, so that the terminal equipment can be used as a hub of a physical world and a world on the chain, and the acquired data can be more conveniently stored on the block chain; moreover, for a third party obtaining the data collected by the terminal equipment, the obtained data can be conveniently validated by matching the data abstract of the obtained data with the data abstract of the data stored on the block chain; therefore, the terminal equipment can submit the collected data to a third party as evidence, and the usability of the data collected by the terminal equipment can be remarkably improved.
For example, for terminal devices such as a law enforcement recorder or a vehicle event data recorder, it is only necessary to store the original content of the collected streaming data such as video data and audio data locally, and store the data summary of the original content of the streaming data on the blockchain, and it is no longer necessary to store the original content of the streaming data on the blockchain;
moreover, when the user submits the streaming data acquired by the law enforcement recorder or the automobile data recorder as evidence to a third-party organization (such as a judicial organization or an insurance company), the third-party organization only needs to recalculate the data abstract of the acquired data and match the data abstract of the data with the data abstract of the data stored on the block chain, so that the obtained data can be conveniently validated, and the high availability of the data acquired by the law enforcement recorder or the automobile data recorder as legal evidence files can be remarkably improved by the method.
Corresponding to the above method embodiments, the present specification further provides an embodiment of a data evidence storage device based on a block chain. The embodiment of the data evidence storage device based on the block chain in the specification can be applied to electronic equipment. The electronic device can be a pluggable device which is in butt joint with the terminal device; the electronic equipment is provided with a secure operation environment, a private key corresponding to the electronic equipment is stored in the secure operation environment, and the device embodiment can be realized by software or hardware or a combination of the software and the hardware. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. In terms of hardware, as shown in fig. 5, the block chain-based data storage device in this specification is a hardware structure diagram of an electronic device in which the data storage device is located, and except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the electronic device in which the device is located in the embodiment may also include other hardware according to an actual function of the electronic device, which is not described again.
Fig. 6 is a block diagram illustrating a data certification device based on a blockchain according to an exemplary embodiment of the present disclosure.
Referring to fig. 6, the block chain-based data evidence storing apparatus 60 can be applied to the electronic device shown in fig. 5, and includes: an acquisition module 601, a signature module 602, and a publishing module 603.
An obtaining module 601, configured to obtain a data summary of target data collected by the terminal device;
a signature module 602, configured to sign the data digest based on a private key corresponding to the pluggable device in the secure computing environment;
the issuing module 603 is configured to issue the signed data digest to the block chain, so that a node device in the block chain verifies the signature of the data digest based on a public key corresponding to the private key, and after the signature verification passes, performs data storage on the data digest in the block chain.
In this embodiment, the obtaining module 601:
receiving a data abstract of target data which is sent by the terminal equipment and collected by the terminal equipment; or receiving target data which is sent by the terminal equipment and collected by the terminal equipment, and locally calculating a data summary of the target data.
In this embodiment, the signature module 602:
acquiring identity information input by a user of the pluggable device;
performing identity authentication on the user based on the acquired identity information;
and if the identity authentication aiming at the user passes, signing the data abstract based on a private key corresponding to the pluggable device in the secure operation environment.
In this embodiment, a key generation algorithm is stored in the secure computing environment;
the apparatus 60 further comprises:
the authentication module 604 is configured to obtain identity information input by a user of the pluggable device when the user first uses the pluggable device; performing identity authentication on the user based on the acquired identity information;
a generating module 605, if the identity authentication for the user passes, invoking the key generating algorithm in the secure computing environment to generate the private key and the public key; and binding the generated private key with the identity information of the user, and storing the binding relationship in the secure operation environment.
In this embodiment, the signature module 602:
acquiring identity information input by a user of the pluggable device;
determining whether a private key bound with the identity information is stored in the secure computing environment;
and if so, signing the data digest based on a private key bound with the identity information in the secure operation environment.
In this embodiment, the issuing module 603:
publishing the signed data digest to the blockchain; or sending the signed data abstract to the terminal equipment so that the terminal equipment can issue the data abstract to the block chain.
In this embodiment, the terminal device includes a law enforcement recorder or a vehicle event data recorder; the target data includes one or more of video data, audio data, and image data.
In this embodiment, the pluggable device carries a USB interface; and the pluggable equipment is in hardware butt joint with the terminal equipment through the USB interface.
In this embodiment, the pluggable device carries an SE secure computing chip; the safe operation environment is established based on the SE safe calculation chip.
In this embodiment, the pluggable device carries an LED indicator light; the apparatus 60 further comprises:
the control module 606 controls the LED indicator light to prompt the working state of the pluggable device to the user; wherein the operating state comprises an operating state in which operations are being performed in the secure computing environment; and, completing a working state of an operation in the secure operation environment.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The systems, devices, modules or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by an article of manufacture with certain functionality. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
Corresponding to the above method embodiments, the present specification also provides an embodiment of a pluggable device. This pluggable equipment includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
acquiring a data abstract of target data acquired by terminal equipment; the pluggable equipment is in butt joint with the terminal equipment; the pluggable equipment carries a safe operation environment; a private key corresponding to the pluggable device is stored in the secure operation environment;
signing the data digest based on a private key corresponding to the pluggable device in the secure computing environment;
and issuing the signed data abstract to the block chain, verifying the signature of the data abstract by the node equipment in the block chain based on the public key corresponding to the private key, and storing the data abstract in the block chain after the signature verification is passed.
In this embodiment, the processor is caused to:
receiving a data abstract of target data which is sent by the terminal equipment and collected by the terminal equipment; or receiving target data which is sent by the terminal equipment and collected by the terminal equipment, and locally calculating a data summary of the target data.
In this embodiment, the processor is caused to:
acquiring identity information input by a user of the pluggable device;
performing identity authentication on the user based on the acquired identity information;
and if the identity authentication aiming at the user passes, signing the data abstract based on a private key corresponding to the pluggable device in the secure operation environment.
In this embodiment, a key generation algorithm is stored in the secure computing environment;
by reading and executing machine-executable instructions stored by the memory corresponding to control logic for blockchain-based data storage, the processor is caused to:
acquiring identity information input by a user of the pluggable device when the pluggable device is used for the first time;
performing identity authentication on the user based on the acquired identity information;
if the identity authentication aiming at the user passes, calling the secret key generation algorithm in the secure operation environment to generate the private key and the public key; and the number of the first and second groups,
and binding the generated private key with the identity information of the user, and storing the binding relationship in the secure operation environment.
In this embodiment, the processor is caused to:
acquiring identity information input by a user of the pluggable device;
determining whether a private key bound with the identity information is stored in the secure computing environment;
and if so, signing the data digest based on a private key bound with the identity information in the secure operation environment.
In this embodiment, the processor is caused to:
publishing the signed data digest to the blockchain; or sending the signed data abstract to the terminal equipment so that the terminal equipment can issue the data abstract to the block chain.
In this embodiment, the pluggable device carries an LED indicator light;
by reading and executing machine-executable instructions stored by the memory corresponding to control logic for blockchain-based data storage, the processor is caused to:
controlling the LED indicator light to prompt the working state of the pluggable equipment to a user; wherein the operating state comprises an operating state in which operations are being performed in the secure computing environment; and, completing a working state of an operation in the secure operation environment.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.