CN111651776A - Access control record storage method and device - Google Patents

Access control record storage method and device Download PDF

Info

Publication number
CN111651776A
CN111651776A CN202010398811.7A CN202010398811A CN111651776A CN 111651776 A CN111651776 A CN 111651776A CN 202010398811 A CN202010398811 A CN 202010398811A CN 111651776 A CN111651776 A CN 111651776A
Authority
CN
China
Prior art keywords
access control
control record
ciphertext
record
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010398811.7A
Other languages
Chinese (zh)
Inventor
施运梅
马骁
李宁
田英爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Information Science and Technology University
Original Assignee
Beijing Information Science and Technology University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Information Science and Technology University filed Critical Beijing Information Science and Technology University
Priority to CN202010398811.7A priority Critical patent/CN111651776A/en
Publication of CN111651776A publication Critical patent/CN111651776A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides an access control record storage method and device, wherein the access control record storage method comprises the steps of obtaining an access control record; encrypting the access control record to obtain an access control record ciphertext; and storing the access control record ciphertext to a block chain. According to the access control record storage method provided by the embodiment of the invention, all the access control records stored on the block chain are encrypted, so that the storage safety is improved, and the privacy disclosure problem caused by the block chain data disclosure is solved.

Description

Access control record storage method and device
Technical Field
The present invention relates to the field of data storage technologies, and in particular, to a method and an apparatus for storing access control records.
Background
An access control record refers to important events and data related to an access control activity, such as what access control activity and result occurred, the target of the access control activity, the related operations of the user (including processes and services as well), and so on. The information is recorded, so that the security expert can be helped to confirm the identity of a hacker attacking the system, and reference and basis can be provided for other workers to audit the use condition of the system and make or modify an access control strategy. In the long-term storage process of the file, the situation that the lawbreaker enters the system to tamper the content of the file can occur, the speed of positioning the tampered file can be improved by having complete and effective access control records, and the access control records can be used as evidence to prove the attack behavior of the lawbreaker. Currently, most of research related to access control record storage focuses on traditional cloud environments, and relatively few research is conducted on new environments such as block chains and multiple clouds.
The data in the public chain is open, anyone can participate in the calculation, and the complete blockchain data can be obtained, which can reveal the privacy information in the institution.
Unlike public chains, the data of a federation chain is only authorized for access by the federation's enterprises and their users, but there are still some problems: in a federation chain environment, there are usually multiple participants, each of which may use a different operating system and office system, and access control mechanisms employed by these systems may also be different, so that access control records stored on the chain are inconsistent, and auditing of the access control records and auditing efficiency are affected. In addition, all transaction information on the chain is public inside the federation, which increases the risk of leakage of participant privacy information.
The problem of privacy information leakage of the participants of the alliance chain can be solved by using symmetric encryption and asymmetric encryption technologies, but most of the existing encryption schemes are limited to a single-user scene, the calculation complexity is high, and the method cannot be well applied to the block chain environment with weak programmability and numerous users.
Disclosure of Invention
Embodiments of the present invention provide an access control record storage method, apparatus, electronic device and readable storage medium that overcome the above-mentioned problems or at least partially solve the above-mentioned problems.
In a first aspect, an embodiment of the present invention provides an access control record storage method, including: acquiring an access control record; encrypting the access control record to obtain an access control record ciphertext; and storing the access control record ciphertext to a block chain.
In some embodiments, said encrypting said access control record, said obtaining access control record ciphertext comprises: the access control record is automatically encrypted, and a hash value of the access control record and an intermediate ciphertext of the access control record are obtained; and performing fusion encryption on the hash value of the access control record and the intermediate ciphertext of the access control record to obtain the ciphertext of the access control record.
In some embodiments, the self-encrypting the access control record, and obtaining the hash value of the access control record and the access control record intermediate ciphertext includes: and signing the access control record by using a private key of an access control record owner, using a hash value of the access control record as a unique identification code, and encrypting the access control record and the signature of the access control record by using a symmetric encryption algorithm to obtain a middle ciphertext of the access control record.
In some embodiments, the performing fusion encryption on the hash value of the access control record and the access control record intermediate ciphertext to obtain the access control record ciphertext includes: and encrypting the hash value of the access control record and the intermediate ciphertext of the access control record by using a preset symmetric key to obtain the ciphertext of the access control record.
In some embodiments, the obtaining the access control record comprises: acquiring original data; acquiring a to-be-processed data list based on the original data; and acquiring the access control record based on the to-be-processed data list.
In a second aspect, an embodiment of the present invention provides an access control record storage apparatus, including: an acquisition unit configured to acquire an access control record; the encryption unit is used for encrypting the access control record to obtain an access control record ciphertext; and the storage unit is used for storing the access control record ciphertext to the block chain.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the access control record storage method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the access control record storage method as provided in the first aspect.
According to the access control record storage method, the access control record storage device, the electronic equipment and the readable storage medium, all the access control records stored on the block chain are encrypted, so that the storage safety is improved, and the privacy disclosure problem caused by the data disclosure of the block chain is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart of a method for storing access control records according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an application environment of an access control record storage method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a unified access control record storage method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating an encryption flow of an access control record storage method according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an access control record storage device according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of another access control record storage device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device for accessing control records according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An access control record storage method of an embodiment of the present invention is described below with reference to fig. 1.
As shown in fig. 1, the access control record storage method of the embodiment of the present invention includes steps S100 to S300.
First, an explanation is given to an operating environment of the access control record storage method provided by the embodiment of the present invention, where the operating environment of the access control record storage method provided by the embodiment of the present invention includes three parts, namely a system, a block chain and a block chain link point.
The system comprises the following steps: the system is a generation source of the operation log, the role strategy information and the role distribution record, and in the embodiment of the invention, the system must have an access control function. The number of systems may not be unique, and embodiments of the present invention are not particularly limited. The Access control model may be inconsistent, and may be an abac (attribute Based Access control) model, or a rbac (role Based Access control) model, and the embodiment of the present invention is not limited specifically.
Block chains: the block chain is used as a core technology of a digital encryption currency system represented by a bit currency, has the characteristics of decentralization, high difficulty in data tampering on the chain, and strong group maintenance and anonymity, and can realize the establishment of a decentralization trust relationship and the exchange and sharing of data among users by using cryptographic means such as an asymmetric encryption algorithm, a timestamp, a hash function, a consensus algorithm and the like. The characteristics of decentralized and uneasy tampering of the block chain enable the block chain to be suitable for the access control record of the storage system, can ensure that the access control record is not tampered, and improves the safety.
The block chain is responsible for storing the access control record, and in the embodiment of the present invention, the type of the block chain is a federation chain, which is a framework manner of the block chain. The alliance chain is initiated by an organization, the access of members needs to be authorized, the alliance chain has the characteristics of partial decentralization and multi-center, and the characteristics of a public chain and a private chain are considered. The alliance chain is maintained by the members of the organization together, and functions of member management, authentication, authorization, monitoring, auditing and the like are provided. The alliance chain formed by different organizations is suitable for the safe storage of access control records in the organizations, and is convenient for the audit of superior departments. The block chain is composed of block link points.
Block chain node: blockchain nodes refer to computers or servers equipped with blockchain client software, which are deployed in the rooms of various companies (all members of the federation chain) but are not completely trusted, and the computers or servers must pass through a proprietary blockchain gateway when communicating with the blockchain nodes. The main role of the blockchain node is to confirm the validity of the transaction, and when a blockchain user attempts to add a new block on the chain by using a certain protocol or mechanism, the node is responsible for broadcasting the block information or verifying the validity of the new block (including signature validity, transaction validity, etc.), and the node can accept or reject the generation of the new block.
Next, an application environment of the access control record storage method according to the embodiment of the present invention is explained, as shown in fig. 2, the application environment of the access control record storage method according to the embodiment of the present invention includes a federation chain and a plurality of systems, and the systems are located in a logical area instead of a physical area. The system is the source of the generation of oplogs, role policy information, and role assignment records, which may not be identical in format until unified. In the embodiment of the present invention, each system must have an access control function.
And step S100, acquiring an access control record.
It can be understood that data is obtained from information such as operation logs, role policy information and role allocation records, and then the data is converted into an access control record format based on the RBAC model according to access control record unification rules and algorithms, and the description formats of the access control records are unified before being uploaded to a federation chain. The expression format of the access control record to be uploaded is uniformly migrated into the RBAC-based expression format of the access control record, so that the complexity of managing the access control record can be reduced, and the audit of the access control record data is facilitated.
Among them, the role-based control access model, the RBAC model, is one of the access control models that are widely used at present. The RBAC model supports recognized security principles: the method has the advantages of good universality and adaptability based on the least privilege principle, the responsibility separation principle and the data abstraction principle. The basic idea of the RBAC model is that various permissions for system operation are not directly granted to a specific user, but rather a set of roles is established between the set of users and the set of permissions, granting personal permissions to the users according to the roles, and ensuring that low-level users cannot access sensitive data or perform confidential tasks.
And S200, encrypting the access control record to obtain an access control record ciphertext.
It will be appreciated that the access control records must be encrypted and only the security administrator and third party regulatory bodies of the respective systems can view the raw data of the access control records. The access control records of a plurality of participants are stored in the alliance chain, and according to the difference of the participants, the access control records are encrypted by using corresponding keys, so that an auditing agency is prevented from abusing the authorization and obtaining unauthorized access control records in a violation mode.
And step S300, storing the access control record ciphertext to a block chain.
It can be understood that the access control record ciphertext after two rounds of encryption is uploaded and stored in the block chain.
According to the access control record storage method provided by the embodiment of the invention, all the access control records stored on the block chain are encrypted, so that the storage safety is improved, and the privacy disclosure problem caused by the block chain data disclosure is solved.
In some embodiments, step S200, encrypting the access control record, and obtaining the access control record ciphertext includes step S210 and step S220.
And step S210, self-encrypting the access control record to obtain the hash value of the access control record and the intermediate ciphertext of the access control record.
It can be understood that, the hash function is used to encrypt the unified access control record and obtain the hash value of the access control record, which is not specifically limited in the embodiment of the present invention. The encryption has two rounds, the first round of encryption is self-encryption, the access control record and the access control record signature are encrypted by using the symmetric key of the owner of the access control record, the hash value of the access control record is generated, and the hash value of the access control record and the intermediate ciphertext of the access control record are obtained.
In the self-encryption mode, the access control record owner becomes the owner and manager of the encryption key, which is equivalent to creating a technical barrier, and before others access the access control record, the access control record owner needs to participate in the access control record owner, and the access control record owner can control the accessibility degree of the access control record through the ownership of the key.
Symmetric encryption is a commonly used encryption algorithm, and the same key is used for encryption and decryption. Asymmetric encryption uses a pair of keys, a public key and a private key. The private key is kept secretly by the user, the public key can be disclosed outwards, the asymmetric encryption uses the public key to encrypt data, and the private key held by the user is decrypted. Asymmetric encryption algorithms may be used for encryption and decryption of data and for digital signatures. In the embodiment of the invention, the symmetric encryption and signature algorithm adopts a national secret series algorithm.
And S220, performing fusion encryption on the hash value of the access control record and the access control record intermediate ciphertext to obtain the access control record ciphertext.
It is to be understood that the second round of encryption is a fusion encryption, where the ciphertext of the first round and the hash value of the access control record are encrypted using a multi-party negotiated blockchain symmetric key. The security of the access control record cannot be ensured by simply adopting an encryption mode, and the encryption quality of the access control record can be improved by encrypting the access control record again by using the block chain symmetric key negotiated by multiple parties.
According to the access control record storage method provided by the embodiment of the invention, the symmetric key of the access control record owner and the block chain symmetric key negotiated by multiple parties are used for carrying out two-round encryption on the access control record, so that the encryption quality of the access control record is improved, and the safety of the access control record is ensured.
In some embodiments, the step S210 of performing self-encryption on the access control record, and obtaining the hash value of the access control record and the access control record intermediate ciphertext includes: and signing the access control record by using a private key of an access control record owner, using the hash value of the access control record as a unique identification code, and encrypting the access control record and the signature of the access control record by using a symmetric encryption algorithm to obtain an intermediate ciphertext of the access control record.
It will be appreciated that the access control record is signed using the access control record owner's private key, the access control record is hashed, a hash value of the access control record is generated, the hash value of the access control record is used as a unique identification code, and then the access control record and the signature of the access control record are encrypted using a symmetric encryption algorithm. The signature process, the access control record encryption process and the access control record generation hash value process do not need to be carried out one by one, and the efficiency is improved.
This section is formally described as follows:
signing the access control record by using a private key of an access control record owner, and acquiring the signature of the access control record:
privateKey_Sign(ACR1,ACR2,...,ACRn,n≥1)=ACR_Signn
wherein, the privateKey _ Sign is the private key, ACR of the access control record ownernACR _ Sign for the nth access control recordnA signature recorded for access control.
Encrypting the access control record and the signature of the access control record by using a symmetric encryption algorithm to obtain an access control record intermediate ciphertext:
Symmetric_Encrypt(ACR1,ACR2,...,ACRn∪ACR_Signn,n≥1)
=ACR_Encryptn
wherein, symmetry _ Encrypt is a Symmetric encryption algorithm, which is not specifically limited in the embodiment of the present invention, and ACRnACR _ Sign for the nth access control recordnFor signature of access control record, ACR _ EncryptnThe intermediate ciphertext is recorded for access control.
Hashing the access control record to generate a hash value of the access control record:
Hash(ACR1,ACR2,...,ACRn,n≥1)=Hash_IDn
wherein, ACRnThe nth access control record is recorded, and the Hash is a Hash algorithm, the Hash algorithm is not particularly limited in the embodiment of the invention, namely Hash _ IDnA hash value recorded for access control.
According to the access control record storage method provided by the embodiment of the invention, the access control record is encrypted by using the symmetric key of the owner of the access control record, and the access control record is encrypted by using the corresponding key according to the difference of the owners of the access control record, so that an auditing authority is prevented from abusing the authorization, and unauthorized access control records are prevented from being illegally acquired.
In some embodiments, in step S220, performing fusion encryption on the hash value of the access control record and the access control record intermediate ciphertext, and obtaining the access control record ciphertext includes: and encrypting the intermediate ciphertext of the access control record and the hash value of the access control record by using a preset symmetric key to obtain the ciphertext of the access control record.
It can be understood that, the intermediate ciphertext of the access control record and the hash value of the access control record are encrypted by using the symmetric key agreed by all the blockchain members in advance, so as to obtain the ciphertext of the access control record, and the encryption does not need to be performed one by one.
This section is formally described as follows:
Symmetric_Encrypt(Hash_IDn∪ACR_Encryptn,n≥1)
=BlockChain_Encryptn
wherein, symmetry _ Encrypt is a Symmetric encryption algorithm, which is not specifically limited in the embodiments of the present invention, and Hash _ IDnFor hash value of access control record, ACR _ EncryptnRecording the intermediate ciphertext, BlockChain _ Encrypt, for access controlnThe ciphertext is recorded for access control.
According to the access control record storage method provided by the embodiment of the invention, the access control record is encrypted again by using the block chain symmetric key negotiated by multiple parties, so that the encryption quality of the access control record can be improved.
In some embodiments, the step S100 of obtaining an access control record comprises the steps S110-S130.
First, the definition possessed by the access control record storage method provided by the embodiment of the present invention is explained.
Operating the log: given an operation log format ρ ═ U, P, T, E, n >, where ρ is the operation log, U is the operator, P is the operation type, T is the operation time, E is the operation target, n is other information in the operation log, and n may vary depending on the needs.
Role policy information and role assignment records: the role strategy information refers to RBAC attribute strategy set v ═ R, UR and PO > belonging to the same system with the operation log rho, wherein R is a role set, UR is a user-role distribution relation, and PO is a permission-role distribution relation. Role assignment records refer to the system-captured role assignment activity < Ra > that an administrator performs on an access control page, e.g., adding or deleting users from roles.
Access control record: a unified record format for unifying the log formats of multiple systems in a federation chain. An operator U is provided, and an Access Control Record (ACR) ACR ═ U, PU,TU,EU,URU,POU,RaUIn which P isU、TU、EUFrom operation logs,URU、POU、RaUFrom the role policy information and the role assignment records,
Figure BDA0002488542430000101
unifying: given a set of oplogs, role policy information, and role assignment records, the unification includes two steps: firstly, an operator is taken as a core, and an operation log, role strategy information and role allocation records are associated to generate a List of Pending Data (LPD); and secondly, unifying the LPD format, extracting various data required in the access control record from the LPD, and finally filling the data into the access control record format. The operator U is assumed to be present, and the following map is defined to represent the first step:
LPDU={ρU,vU,RaU}
among them, LPDUIs a list of user data to be processed.
The second step is represented by the following map:
ACRU=g(f(X))。
wherein X is a list of user data to be processed, ACRUThe access control record is obtained after the processing of the function f and the function g aiming at the user data list X to be processed.
And step S110, acquiring original data.
It is understood that the raw data includes an operation log, role policy information, and role assignment records, and the acquiring the raw data includes acquiring the operation log, the role policy information, and the role assignment records in the system.
And step S120, acquiring a to-be-processed data list based on the original data.
It is understood that the operation log, the role policy information, and the role assignment record are described in the form of a Pending Data List (LPD). The list of data to be processed comprises one or more tables, different columns in the tables representing different kinds of data.
And step S130, acquiring an access control record based on the to-be-processed data list.
It will be appreciated that the format of the list of data to be processed is unified. The format of the data list to be processed may be different for different systems, so the unification is a many-to-one conversion form. In the unified process, if the condition that the system access control model is not RBAC is met, the role mining algorithm is used for obtaining information such as role-authority relationship and the like.
The access control record storage method provided by the embodiment of the invention unifies the access control record formats of multiple parties, and solves the problems of great audit difficulty caused by diverse information description and non-unified access control record formats generated by different access control mechanisms.
The following exemplifies an access control record storage method according to an embodiment of the present invention.
The basic assumption is that: there is an operator Alice, and all the operations of Alice are performed in system B. The company and the auditor have agreed to merge the symmetric keys required for encryption, and have completed the assignment of roles and authorities and the formulation of access control strategies.
The process that Alice registers own personal information in the system and obtains the roles and the authorities distributed by the system is as follows:
Figure BDA0002488542430000121
after Alice completes a series of operations in the system B, the system collects data such as Alice's operation information and converts the data into LPDAliceThe process of expression is:
Figure BDA0002488542430000122
for LPDAliceThe unification process is performed, and a specific flow of the unification process is shown in fig. 3.
The specific process is that an operator is taken as a core, the three kinds of information are associated, an operation log is found according to an operator account, and corresponding information such as role distribution records, role strategies and the like is found according to role and authority information.
In addition, the access control mechanism of the B system may not be the RBAC, and at this time, information such as role-authority relationship in the original system may be obtained by using a role mining algorithm.
The process of the unification treatment is as follows:
Figure BDA0002488542430000123
the processed result is called an access control record.
The access control record is encrypted in the following steps, and the encryption is divided into self-encryption and fusion encryption, and a specific flow is shown in fig. 4.
The first step in self-encryption is to sign the access control record using a private key, the process is as follows:
privateKey_Sign(ACRAlice)=ACR_SignAlice
wherein, the privateKey _ Sign is the private key, ACR of the access control record ownerAliceFor accessing control records, ACR _ SignAliceA signature recorded for access control.
The second step is to encrypt the access control record and the signature of the access control record using a symmetric encryption algorithm, the process is as follows:
Symmetric_Encrypt(ACRAlice∪ACR_SignAlcie)=ACR_EncryptAlice
wherein, symmetry _ Encrypt is a Symmetric encryption algorithm, which is not specifically limited in the embodiment of the present invention, and ACRAliceFor accessing control records, ACR _ SignAliceFor signature of access control record, ACR _ EncryptAliceThe intermediate ciphertext is recorded for access control.
The third step is to carry out hash on the access control record to generate a hash value of the access control record, and the process is as follows:
Hash(ACRAlice)=Hash_IDAlice
wherein, ACRAliceThe Hash is a Hash algorithm for accessing the control record, and the embodiment of the invention does not specifically limit the Hash algorithmFixed, Hash _ IDAliceA hash value recorded for access control.
The fusion encryption is to encrypt the hash value of the access control record and the access control record ciphertext encrypted by the self-encryption algorithm, and the process is as follows:
Symmetric_Encrypt(Hash_IDAlice∪ACR_EncryptAlice)=BlockChain_EncryptAlice
wherein, symmetry _ Encrypt is a Symmetric encryption algorithm, which is not specifically limited in the embodiments of the present invention, and Hash _ IDAliceFor hash value of access control record, ACR _ EncryptAliceRecording the intermediate ciphertext, BlockChain _ Encrypt, for access controlAliceThe ciphertext is recorded for access control.
Uploading the access control record to the blockchain network is as follows:
Figure BDA0002488542430000131
wherein, BlockChain _ EncryptAliceFor access control recording of the ciphertext, BLOCKHAIN is a BLOCKCHAIN network.
When the access control records need to be audited, the auditing agency needs to remove the privacy protection of the access control records. Under the premise of possessing the symmetric key, the releasing process is the inverse operation of all the operations in the encryption process.
In the following, the access control record storage device provided by the embodiment of the present invention is described, and the access control record storage device described below and the access control record storage method described above may be referred to in correspondence with each other.
An access control record storage apparatus of an embodiment of the present invention is described below with reference to fig. 5.
The encryption machine refers to a computer or a server provided with a national secret encryption chip. In order to guarantee the security of the commercial passwords, a series of password standards are established by the national commercial password management office, including SM1, SM2, SM3, SM7 and the like, wherein SM1 and SM7 algorithms are not disclosed, and are only packaged in a chip in the form of an IP core, and when the algorithms are called, the algorithms can only be called through an interface of a national secret encryption chip. In the embodiment of the invention, the symmetric encryption and signature algorithm adopts a national secret series algorithm.
The access control record storage device internally comprises a system for providing access control information, an encryptor and a block chain gateway, all the access control records must be processed by encryption and the like, and are finally uploaded to a block chain through the block chain gateway, and an encryption algorithm is provided by the encryptor (using a state secret algorithm). The blockchain gateway only handles traffic and requests related to the blockchain, and the rest of the data is handed over to other gateways for processing.
Another access control record storage device of an embodiment of the present invention is described below with reference to fig. 6.
As shown in fig. 6, the apparatus includes an acquisition unit 410, an encryption unit 420, and a storage unit 430.
An obtaining unit 410 is configured to obtain the access control record.
It is understood that the obtaining unit 410 obtains data from information such as the operation log, the role policy information, and the role assignment record, and then converts the data into an access control record format based on the RBAC model according to the access control record unification rule and algorithm, and unifies the description formats of the access control records before uploading the access control records to the federation chain.
And the encryption unit 420 is configured to encrypt the access control record and obtain an access control record ciphertext.
It is to be understood that the encryption unit 420 encrypts the access control record, and only the security administrator and the third party supervision department of each system can view the original data of the access control record.
And a storage unit 430, configured to store the access control record ciphertext to the blockchain.
It is understood that the storage unit 430 uploads and stores the access control record ciphertext after two rounds of encryption into the blockchain.
The access control record storage device provided by the embodiment of the invention encrypts all the access control records stored in the block chain, improves the storage safety and solves the privacy disclosure problem caused by the block chain data disclosure.
Fig. 7 illustrates a physical structure diagram of an electronic device, and as shown in fig. 7, the electronic device may include: a processor (processor)510, a communication interface (communication interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may call logic instructions in memory 530 to perform an access control record storage method that includes obtaining an access control record; encrypting the access control record to obtain an access control record ciphertext; and storing the access control record ciphertext to the block chain.
It should be noted that, when being implemented specifically, the electronic device in this embodiment may be a server, a PC, or other devices, as long as the structure includes the processor 510, the communication interface 520, the memory 530, and the communication bus 540 shown in fig. 7, where the processor 510, the communication interface 520, and the memory 530 complete mutual communication through the communication bus 540, and the processor 510 may call the logic instructions in the memory 530 to execute the above method. The embodiment does not limit the specific implementation form of the electronic device.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Further, an embodiment of the present invention discloses a computer program product, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of executing the access control record storage method provided by the above-mentioned method embodiments, the method comprising obtaining an access control record; encrypting the access control record to obtain an access control record ciphertext; and storing the access control record ciphertext to the block chain.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the access control record storage method provided in the foregoing embodiments, where the method includes obtaining an access control record; encrypting the access control record to obtain an access control record ciphertext; and storing the access control record ciphertext to the block chain.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. An access control record storage method, comprising:
acquiring an access control record;
encrypting the access control record to obtain an access control record ciphertext;
and storing the access control record ciphertext to a block chain.
2. The method for storing an access control record according to claim 1, wherein the encrypting the access control record to obtain an access control record ciphertext comprises:
the access control record is automatically encrypted, and a hash value of the access control record and an intermediate ciphertext of the access control record are obtained;
and performing fusion encryption on the hash value of the access control record and the intermediate ciphertext of the access control record to obtain the ciphertext of the access control record.
3. The method according to claim 2, wherein the self-encrypting the access control record to obtain the hash value of the access control record and the access control record intermediate ciphertext comprises:
and signing the access control record by using a private key of an access control record owner, using a hash value of the access control record as a unique identification code, and encrypting the access control record and the signature of the access control record by using a symmetric encryption algorithm to obtain a middle ciphertext of the access control record.
4. The method according to claim 3, wherein the performing fusion encryption on the hash value of the access control record and the access control record intermediate ciphertext to obtain the access control record ciphertext comprises:
and encrypting the hash value of the access control record and the intermediate ciphertext of the access control record by using a preset symmetric key to obtain the ciphertext of the access control record.
5. The access control record storage method according to any one of claims 1 to 4, wherein said obtaining an access control record comprises:
acquiring original data;
acquiring a to-be-processed data list based on the original data;
and acquiring the access control record based on the to-be-processed data list.
6. An access control record storage device, comprising:
an acquisition unit configured to acquire an access control record;
the encryption unit is used for encrypting the access control record to obtain an access control record ciphertext;
and the storage unit is used for storing the access control record ciphertext to the block chain.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the access control record storage method according to any one of claims 1 to 5 are implemented when the program is executed by the processor.
8. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the access control record storage method according to any one of claims 1 to 5.
CN202010398811.7A 2020-05-12 2020-05-12 Access control record storage method and device Pending CN111651776A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010398811.7A CN111651776A (en) 2020-05-12 2020-05-12 Access control record storage method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010398811.7A CN111651776A (en) 2020-05-12 2020-05-12 Access control record storage method and device

Publications (1)

Publication Number Publication Date
CN111651776A true CN111651776A (en) 2020-09-11

Family

ID=72352656

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010398811.7A Pending CN111651776A (en) 2020-05-12 2020-05-12 Access control record storage method and device

Country Status (1)

Country Link
CN (1) CN111651776A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333159A (en) * 2020-10-22 2021-02-05 北京梆梆安全科技有限公司 Mobile Internet of things terminal access control method, device and system based on block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
CN109902494A (en) * 2019-01-24 2019-06-18 北京融链科技有限公司 Data encryption storage method, device and document storage system
CN110032876A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
US20190295202A1 (en) * 2018-03-23 2019-09-26 Ca, Inc. Blockchain records associated with search warrant
CN110941861A (en) * 2019-12-16 2020-03-31 中国南方电网有限责任公司 File protection method and device, computer equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
US20190295202A1 (en) * 2018-03-23 2019-09-26 Ca, Inc. Blockchain records associated with search warrant
CN109902494A (en) * 2019-01-24 2019-06-18 北京融链科技有限公司 Data encryption storage method, device and document storage system
CN110032876A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110941861A (en) * 2019-12-16 2020-03-31 中国南方电网有限责任公司 File protection method and device, computer equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333159A (en) * 2020-10-22 2021-02-05 北京梆梆安全科技有限公司 Mobile Internet of things terminal access control method, device and system based on block chain
CN112333159B (en) * 2020-10-22 2022-09-23 北京梆梆安全科技有限公司 Mobile Internet of things terminal access control method, device and system based on block chain

Similar Documents

Publication Publication Date Title
JP6941146B2 (en) Data security service
Kaaniche et al. A blockchain-based data usage auditing architecture with enhanced privacy and availability
CN106104562B (en) System and method for securely storing and recovering confidential data
US20190305938A1 (en) Threshold secret share authentication proof and secure blockchain voting with hardware security modules
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US8984611B2 (en) System, apparatus and method for securing electronic data independent of their location
CN113094730B (en) Medical data safety management platform based on internet
Grechaninov et al. Decentralized Access Demarcation System Construction in Situational Center Network
US20080072280A1 (en) Method and system to control access to a secure asset via an electronic communications network
CN111859446A (en) Agricultural product traceability information sharing-privacy protection method and system
Manthiramoorthy et al. Comparing several encrypted cloud storage platforms
WO2013008351A1 (en) Data distributed storage system
Murala et al. Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud
Agarkhed et al. An efficient auditing scheme for data storage security in cloud
CN108737365A (en) A kind of network data information guard method and device
CN103379103A (en) Linear encryption and decryption hardware implementation method
CN110704856B (en) Secret sharing method based on operation and maintenance auditing system
CN111651776A (en) Access control record storage method and device
CN114510734B (en) Data access control method, device and computer readable storage medium
CN114363077B (en) Management system based on safety access service edge
Ullah et al. TCLOUD: A Trusted Storage Architecture for Cloud Computing
CN115022044A (en) Storage method and system based on multi-cloud architecture
CN112673591B (en) System and method for providing authorized third parties with secure key escrow access to a secret public ledger
CN109714148B (en) Method for remote multi-party authentication of user identity
Verma et al. A hybrid two layer attribute based encryption for privacy preserving in public cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination