CN112118221A - Block chain-based privacy data sharing-oriented capability access control method - Google Patents

Block chain-based privacy data sharing-oriented capability access control method Download PDF

Info

Publication number
CN112118221A
CN112118221A CN202010789050.8A CN202010789050A CN112118221A CN 112118221 A CN112118221 A CN 112118221A CN 202010789050 A CN202010789050 A CN 202010789050A CN 112118221 A CN112118221 A CN 112118221A
Authority
CN
China
Prior art keywords
data
enterprise
user
token
capability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010789050.8A
Other languages
Chinese (zh)
Other versions
CN112118221B (en
Inventor
黄志清
张亚川
黄明明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN202010789050.8A priority Critical patent/CN112118221B/en
Publication of CN112118221A publication Critical patent/CN112118221A/en
Application granted granted Critical
Publication of CN112118221B publication Critical patent/CN112118221B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a block chain-based privacy data sharing-oriented property access control method. And (3) building a server in the VMware virtual machine, configuring a CA on the server, and building a CA service for the invention. The enterprise A and the enterprise B apply for the digital identity certificates of the enterprises through the built CA service, and subsequent safe operation is facilitated. The invention has high authority management efficiency and stronger expandability, is more suitable for enterprise user private data sharing, namely a one-to-one special scene, and effectively avoids network attack and data leakage in the transaction process; meanwhile, the authorization use record of the data is defined, and a non-repudiation certificate is provided for relevant links of data opening and use.

Description

Block chain-based privacy data sharing-oriented capability access control method
Technical Field
The invention relates to the field of access control, the field of data sharing and a alliance chain technology, in particular to a data sharing scheme realized based on an access control model of alliance chain and energy under the scene of enterprise user private data sharing.
Background
The rapidly developed mobile internet is gradually permeating the aspects of work and life of people, various mobile internet applications are rapidly developed, the data presentation exponential growth is realized by huge user quantity, the era of big data comes, and huge value is stored behind the data. In order to fully release the value of the data, circulation sharing of the data must be realized. While data sharing circulation presupposes explicit ownership of the data. Data in the enterprise is divided into desensitization data and non-desensitization data from ownership, data ownership of the desensitization data is the enterprise, the non-desensitization data belongs to user privacy data, and ownership is attributed to a user person. The national legal level requires that private data of users cannot be disclosed privately when data transaction between enterprises is carried out without authorization of the users. Therefore, when the enterprises deal with the private data of the users, the premise is that the data owner can not deal with the private data if the data owner approves the private data.
With the increasing importance of enterprises on mining data values and increasing market demands, it is a trend to obtain business benefits through user data. In order to solve the problem of sharing private data of users in enterprises, an authorization link of the users is indispensable. As one of the basic technologies for data protection, an access control mechanism can ensure that data can only be accessed by a user with authority, and a user authorization link is added in the data sharing process, so that the ownership of the data can be clarified, the safe and legal sharing of the data is realized, and the personal privacy of the user is protected. Common access control mechanisms include Access Control Lists (ACLs), role-based access control (RBACs), attribute-based access control mechanisms (ABACs), and the like. Early ACLs were created by assigning corresponding rights to each particular principal. The biggest problem of this mode is that the control of the authority is relatively dispersed and is not easy to manage. Later, the introduction of ABAC addressed this problem by assigning rights to roles, which were then assigned to principals, rather than granting rights directly to principals. However, as the number of subjects and resources increases, the scene becomes more complex, and more roles to be managed become necessary, which may lead to misuse of roles and may make control and management difficult. The ABAC realizes finer access control in a complex scene by introducing attributes, but the model is obviously complex, has poor flexibility and extensibility, and is not suitable for one-to-one control management. Most of the control models have the problems of lack of flexibility, poor expansibility, high overhead and the like, and are obviously not suitable for sharing private data of enterprise users.
In view of this, the present invention implements a scheme for enterprise user private data sharing based on a federation chain and a capability access control mechanism. The access control model based on the capability realizes one-to-one access control, and can greatly simplify authorized access of resources under the condition of not increasing the complexity of the access control model. Meanwhile, a alliance chain technology is introduced, chain certificates are stored in links such as data access control and the like, and non-repudiatable certificates are provided for links of data opening and authorized use. This solution solves the problem between data sharing and privacy protection.
Disclosure of Invention
The invention mainly aims to provide a scheme for sharing user privacy data (data which is not desensitized) in an enterprise, and aims to solve the problems of data sharing and user privacy protection, so that the data which is not desensitized in the enterprise can be shared and circulated, and the value is created. The system structure is shown in fig. 1.
The technical scheme adopted by the invention is the combination of the access control model based on the capability and the alliance chain, and the sharing and circulation of the private data of enterprise users are realized. The scheme is realized by taking an enterprise data sharing platform as a carrier. The platform is realized in a front-end and back-end separation mode, the front end is realized by an Vue framework, the back end is used for calling a front-end page in a restful API (application program interface) service mode realized based on SpringBoot + Mybatis, the database adopts a mainstream relational database Mysql due to weaker performance and storage of a block chain, and for selection of the type of the block chain, the characteristics of a private chain, a public chain and a alliance chain are considered, and a special scene is shared by enterprise data in combination, so the scheme selects the alliance chain as a bottom chain, a alliance chain network is built in a Docker container mode, the development language of a chain code contract is selected to be Go, the data on the chain is stored in a LevelDB database on a block chain link point, and the platform realizes on-chain, under-chain storage and inquiry audit through the Mysql and the alliance chain.
The specific scheme is shown in fig. 3, and the whole scheme mainly has the following roles:
1 data requestor
In the enterprise private data sharing scenario, the data requester is a certain enterprise that needs user private data. Referred to herein as enterprise a.
2 data owner
In the enterprise private data sharing scenario, the data owner is an enterprise storing user private data, and the enterprise does not have authority to share and use the user private data, referred to as enterprise B.
3 data owner
Under the enterprise private data sharing scene, the data owner is a user individual, and the data ownership is owned by the user individual, namely, the data ownership is not authorized by a user main body and cannot be transacted privately. Here denoted user C.
The scheme is realized as follows:
firstly, in the established alliance chain, an enterprise B establishes an alliance, different business channels are established aiming at enterprises which request data, and when the enterprise A requests the data, the enterprise A and the enterprise B are jointly added into the same data business channel.
And secondly, establishing a Windows Server2008 server in the VMware virtual machine, configuring a CA on the Windows Server2008 server, and establishing a CA service for the invention. The enterprise A and the enterprise B apply for the digital identity certificates of the enterprises through the built CA service, and subsequent safe operation is facilitated.
S1) the data sharing platform of the enterprise B displays the data list;
1) attaching category labels to the background sensitive data;
2) displaying to a sharing platform by label classification;
s2) enterprise a registering a platform account;
1) registering a platform account;
2) applying for a digital certificate;
s3) enterprise a requests data;
1) viewing a list of available data;
2) sending a data request;
s4) the platform controls the data ability;
1) applying for a permission token;
2) verifying the authority token;
3) energy entrusting;
s5) inquiring audit;
1) checking data transaction on the chain;
2) a linked query data transaction;
in the above steps, the specific implementation method is as follows:
s1), the content is displayed on the data sharing platform in the form of a label, for example, by analyzing and classifying the data in the background database in the data sharing platform of the enterprise B, such as the classification of the position trajectory data, the credit information data, the personal preference data, and the like, as shown in fig. 4.
S2), the content is that enterprise a registers account information on the data sharing platform of enterprise B, and the registration information includes description information such as enterprise name and enterprise scale, and generates a platform account private to company a. In addition, company a applies for a certificate to the CA service, the private key itself being stored locally for subsequent encryption operations, as shown in fig. 4 and 5.
S3), logging in the data sharing platform of enterprise B after enterprise a registers the account, and checking the existing user privacy data list, and meanwhile, searching the specified user data privacy information list according to the user keyword. When enterprise A needs private data of a certain user, click and apply for, fill in a data request, the data request content includes requester information, the purpose of the requested data, the name of the user, whether the authority token is available or not, and a digital certificate of the user. The data request information is encapsulated into JSON format and sent out, and chain storage is carried out through a storage contract, as shown in fig. 7.
S4), the authority control process for the data access of the enterprise A is the key point of the invention. The method mainly comprises three parts, namely application of the ability token, auditing of the ability token and authorization delegation.
For the application of the capability token, after the enterprise A submits a data request, the platform packages the data request information of the enterprise A and sends the data request information to a designated user in the form of a short message, after the user receives the short message, the user checks the content of the short message and opens a Web authorization link in the short message, as shown in FIG. 8, if the user agrees, the corresponding authorization information is filled in for generating the capability token; and if not, clicking to reject the data access request. When the platform collects the content of the Web authorization page, if the authorization is agreed, the data sharing platform generates a capability token according to the collected user authorization information, and the token information is encrypted through a digital certificate of an enterprise A and then carries a signature of the token information to be sent to an account of the enterprise A; and if the authorization is not agreed, returning the rejection information to the account of the enterprise A. In addition, the authorization result information of the user and the hash of the capability token are uploaded for storage. The JSON content format of the capability token is as follows,
Figure BDA0002623109680000041
wherein, "t _ ID" represents ID of the capability token, "issuers" represents issuer of the token, "dig _ sign" represents digital signature of the token, "issuers _ time" represents generation time of the token, "expire _ time" represents expiration time of the token, "encrypt" represents encryption type and public key of the token, and is _ delete represents whether delegation is performed.
For the verification of the authority token, when the enterprise A does not obtain the authority token, the enterprise A firstly needs to apply for the authority token through the steps, and after the authority token is applied for obtaining, when the enterprise A sends a data request in the data sharing platform, the applied authority token is encrypted through a sharing platform certificate and then is sent together with the data request. And the platform receives the data request information of the enterprise A, decrypts the data request information to obtain the capability token, and verifies the token. After the verification is passed, the private data acquisition link is encrypted by the enterprise A certificate and then sent to the A. And if the verification fails, returning request failure information. The processing result links chain storage and evidence through a storage and evidence contract.
For the delegation of the capability, the owner of the private data himself may delegate the proxy of the enterprise B by specifying the capability delegate or enterprise, for example, enterprise B, in the authorization link, and if the owner wants to revoke the capability of the capability delegate, the capability is revoked through the authorization link. And when the data sharing platform receives the capability revocation information of the user, updating the content of the capability token and setting the capability delegation field as false.
S5), storing hash of data sharing transaction record and capability token on the sharing platform database and the block chain, inquiring transaction information through a background for auditing by the sharing platform, and inquiring on the chain to verify the authenticity of the token and trace source and responsibility of data transaction.
Compared with the access control scheme in the existing data sharing scene, the access control scheme for the user privacy data provided by the invention has the following benefits:
the scheme of the invention is based on the alliance chain and the access control of the authority, is lighter and more flexible, has high authority management efficiency and stronger expandability compared with the traditional access control scheme, and is more suitable for the one-to-one special scene of enterprise user private data sharing.
The invention introduces CA certificate service in the right access control and data flow process, guarantees the authenticity of data through asymmetric encryption technology and digital signature technology, and effectively avoids network attack and data leakage in the transaction process.
The invention introduces the alliance chain technology in the data storage, the alliance chain has higher processing speed compared with a public chain, in addition, the information such as data transaction and the like is chain-stored by virtue of the non-falsification characteristic of the alliance chain, the authorization use record of the data is determined, and the non-repudiation certificate is provided for the relevant links of data opening and use.
Drawings
Fig. 1 is a system architecture diagram.
Fig. 2 is a functional block diagram.
FIG. 3 is a diagram of a capability control scheme.
Fig. 4 is a schematic diagram of data presentation.
FIG. 5 is a diagram of a registration page.
FIG. 6 is a diagram illustrating a certificate application
FIG. 7 is a schematic diagram of a data request.
Fig. 8 is a diagram illustrating user authorization.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the invention, reference should be made to the following detailed description taken in conjunction with the accompanying drawings. The specific steps of the implementation case are as follows:
step 001: the enterprise a opens the website of the data sharing platform of the enterprise B, fills in registration information, and registers an account, as shown in fig. 5.
Step 002: enterprise a opens a certificate service website and applies for a digital certificate. As shown in fig. 6.
Step 003: enterprise a browses sharable user data listed on the platform, clicks on application data, fills in request information, and imports its digital certificate, as shown in fig. 7.
Step 004: the data owner user receives the data request authorization short message, opens the link in the short message, and fills in the authority authorization information, as shown in fig. 8.
Step 005: the data sharing platform of enterprise B generates a capability token and securely encrypts the capability token to the account of enterprise a.
Step 006: and the enterprise A carries the capability token to send a data request, the sharing platform verifies successfully, the data owner is informed of the user private data use information through a short message, the private data obtaining interface link is returned, and the enterprise A obtains the interface address through certificate decryption to obtain the data. And if the shared platform fails to verify, returning verification failure information.
Step 007: enterprise a verifies the authenticity of the token and the transaction record by querying on the chain.
Step 008: and the data owner user clicks the ability to cancel the link, cancels the previous authorization information, and the sharing platform updates the token information in time.
In the implementation case of the invention, data related to user privacy in an internal database of an enterprise are selected, the data comprise privacy data information such as user credit, user track, user browsing record and the like, a multi-machine Fabric Block Link network is built on 3 Centos7 servers, and a CA service is built on a WindowServer2008 server. The enterprise a of the data requester applies for data through step 003, the enterprise B notifies the data owner user of the request message, the user authorizes through step 004, the enterprise B sends the token to the enterprise a through step 005, and the enterprise a acquires the data through step 006.

Claims (10)

1. Firstly, in a built alliance chain, an enterprise B establishes an alliance, different business channels are established for enterprises requesting data differently, and when the enterprise A requests data, the enterprise A and the enterprise B are jointly added into the same data business channel;
secondly, a server is built in the VMware virtual machine, a CA is configured on the server, and a CA service is built; the enterprise A and the enterprise B apply for own digital identity certificates through the built CA service; the method is characterized in that: the method comprises the following concrete implementation steps:
s1) the data sharing platform of the enterprise B displays the data list;
1) attaching category labels to the background sensitive data;
2) displaying to a sharing platform by label classification;
s2) enterprise a registering a platform account;
1) registering a platform account;
2) applying for a digital certificate;
s3) enterprise a requests data;
1) viewing the acquired data list;
2) sending a data request;
s4) the platform controls the data ability;
1) applying for a permission token;
2) verifying the authority token;
3) energy entrusting;
s5) inquiring audit;
1) checking data transaction on the chain;
2) and (5) performing offline query data transaction.
2. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: the content in the S1) is displayed on the data sharing platform of the enterprise B in a label mode by analyzing and classifying the data in the background database in the data sharing platform.
3. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: the content in the S2) is account information registered by the enterprise A on a data sharing platform of the enterprise B, the registered information comprises an enterprise name and enterprise scale description information, and a platform account private to the enterprise A is generated; in addition, company a applies for a certificate to the CA service, the private key itself being stored locally for subsequent encryption operations.
4. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: s3), logging in a data sharing platform of an enterprise B after the enterprise A registers the account, checking a user privacy data list, and searching a specified user data privacy information list according to the user keyword; when enterprise A needs private data of a certain user, clicking application, filling a data request, wherein the data request content comprises requester information, the purpose of the requested data, the name of the user, whether a capability token exists or not and a digital certificate of the user; and encapsulating the data request information into a JSON format and sending the JSON format, and chaining the chain storage certificate through a storage certificate contract.
5. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: s4), the content is a data sharing platform of the enterprise B, and the process of controlling the authority of the data access of the enterprise A is divided into three parts: application of the ability token, auditing of the ability token and delegation of the ability.
6. The block chain-based privacy data sharing-oriented capability access control method according to claim 5, wherein: for the application of the ability token, after the enterprise A submits a data request, the platform packages the data request information of the enterprise A and sends the data request information to a designated user in the form of a short message, after the user receives the short message, the user checks the content of the short message and opens a Web authorization link in the short message, and if the user agrees, corresponding authorization information is filled in for generating the ability token; if not, clicking to reject the data access request; when the platform collects the content of the Web authorization page, if the authorization is agreed, the data sharing platform generates a capability token according to the collected user authorization information, and the token information is encrypted through a digital certificate of an enterprise A and then carries a signature to be sent to an account of the enterprise A; if not, returning the refusal information to the account of the enterprise A; in addition, the authorization result information of the user and the hash of the capability token are uploaded for storage.
7. The block chain-based privacy data sharing-oriented capability access control method according to claim 5, wherein: for the examination and verification of the authority token, when the enterprise A does not obtain the authority token, firstly, the enterprise A needs to apply for the authority token through the steps, and after the authority token is applied for obtaining, when the enterprise A sends a data request in the data sharing platform, the applied authority token is encrypted through a sharing platform certificate and then is sent together with the data request; the platform receives the data request information of the enterprise A, decrypts the data request information to obtain a capability token, and verifies the token; after the verification is passed, the private data acquisition link is encrypted by the enterprise A certificate and then is sent to the A; if the verification fails, returning request failure information; the processing result links chain storage and evidence through a storage and evidence contract.
8. The block chain-based privacy data sharing-oriented capability access control method according to claim 5, wherein: for the authorization of the capability, the owner user of the privacy data designates the capability principal or enterprise in the authorization link, and if the owner user wants to revoke the right of the capability principal, the owner user revokes the capability through the authorization link; and when the data sharing platform receives the capability revocation information of the user, updating the content of the capability token and setting the capability delegation field as false.
9. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: s5), storing hash of data sharing transaction record and capability token on the sharing platform database and the block chain, inquiring transaction information through a background for auditing by the sharing platform, and inquiring on the chain to verify the authenticity of the token and trace source and responsibility of data transaction.
10. The block chain-based privacy data sharing-oriented capability access control method according to claim 1, wherein: based on the combination of the access control model of the right and the alliance chain, the sharing and circulation of private data of enterprise users are realized; the method for controlling the access to the right facing to the private data sharing is realized by taking an enterprise data sharing platform as a carrier; the enterprise data sharing platform is realized in a front-end and back-end separation mode, the front end is realized by an Vue framework, the back end is realized in a restful API interface service mode realized based on SpringBoot + Mybatis for calling of a front-end page, the database adopts a mainstream relational database Mysql due to weaker performance and storage of a block chain, the alliance chain is selected as a bottom chain, an alliance chain network is established in a Docker container mode, the development language of a chain code contract is selected to be Go, data on the chain is stored in a LevelDB database on a block chain link point, and the platform realizes on-chain, off-chain storage and inquiry auditing through the Mysql and the alliance chain;
the method has the following roles:
the data requester: in an enterprise private data sharing scene, a data requester is an enterprise needing user private data;
the data owner: in the enterprise private data sharing scene, a data owner is an enterprise for storing user private data, and the enterprise does not have the authority to share and use the user private data;
data owner: under the enterprise private data sharing scene, the data owner is a user individual, and the data ownership is owned by the user individual, namely, the data ownership is not authorized by a user main body and cannot be transacted privately.
CN202010789050.8A 2020-08-07 2020-08-07 Block chain-based privacy data sharing-oriented capability access control method Active CN112118221B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010789050.8A CN112118221B (en) 2020-08-07 2020-08-07 Block chain-based privacy data sharing-oriented capability access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010789050.8A CN112118221B (en) 2020-08-07 2020-08-07 Block chain-based privacy data sharing-oriented capability access control method

Publications (2)

Publication Number Publication Date
CN112118221A true CN112118221A (en) 2020-12-22
CN112118221B CN112118221B (en) 2022-11-04

Family

ID=73803731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010789050.8A Active CN112118221B (en) 2020-08-07 2020-08-07 Block chain-based privacy data sharing-oriented capability access control method

Country Status (1)

Country Link
CN (1) CN112118221B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113139198A (en) * 2021-05-08 2021-07-20 钦州云之汇大数据科技有限公司 Enterprise management information sharing system based on Internet
CN113315837A (en) * 2021-05-27 2021-08-27 广联达科技股份有限公司 Enterprise data sharing platform
CN113329003A (en) * 2021-05-24 2021-08-31 广州大学 Access control method, user equipment and system for Internet of things
CN113572794A (en) * 2021-09-27 2021-10-29 江苏荣泽信息科技股份有限公司 Trusted transmission sharing system and method for standing book data
WO2022161124A1 (en) * 2021-01-29 2022-08-04 北京京东拓先科技有限公司 Data sharing method and apparatus

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110222518A (en) * 2019-05-30 2019-09-10 北京工业大学 Credible powers and functions access control method based on block chain
CN110299195A (en) * 2019-06-11 2019-10-01 中国矿业大学 The electronic health record shared system and application method with secret protection based on alliance's chain
CN110692228A (en) * 2019-03-01 2020-01-14 阿里巴巴集团控股有限公司 Method and equipment for protecting transaction activity sensitive data based on intelligent contracts in blockchain
CN111062807A (en) * 2019-12-17 2020-04-24 北京工业大学 Internet of things data service credit assessment method based on block chain
US20200195645A1 (en) * 2019-07-24 2020-06-18 Alibaba Group Holding Limited Blockchain-based account management
CN111444261A (en) * 2020-02-13 2020-07-24 江苏荣泽信息科技股份有限公司 Enterprise data sharing model based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110692228A (en) * 2019-03-01 2020-01-14 阿里巴巴集团控股有限公司 Method and equipment for protecting transaction activity sensitive data based on intelligent contracts in blockchain
CN110222518A (en) * 2019-05-30 2019-09-10 北京工业大学 Credible powers and functions access control method based on block chain
CN110299195A (en) * 2019-06-11 2019-10-01 中国矿业大学 The electronic health record shared system and application method with secret protection based on alliance's chain
US20200195645A1 (en) * 2019-07-24 2020-06-18 Alibaba Group Holding Limited Blockchain-based account management
CN111062807A (en) * 2019-12-17 2020-04-24 北京工业大学 Internet of things data service credit assessment method based on block chain
CN111444261A (en) * 2020-02-13 2020-07-24 江苏荣泽信息科技股份有限公司 Enterprise data sharing model based on block chain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周艺华等: "基于区块链的数据管理方案", 《信息安全研究》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022161124A1 (en) * 2021-01-29 2022-08-04 北京京东拓先科技有限公司 Data sharing method and apparatus
CN113139198A (en) * 2021-05-08 2021-07-20 钦州云之汇大数据科技有限公司 Enterprise management information sharing system based on Internet
CN113139198B (en) * 2021-05-08 2023-03-31 上海埃林哲软件系统股份有限公司 Enterprise management information sharing system based on Internet
CN113329003A (en) * 2021-05-24 2021-08-31 广州大学 Access control method, user equipment and system for Internet of things
CN113329003B (en) * 2021-05-24 2022-02-11 广州大学 Access control method, user equipment and system for Internet of things
CN113315837A (en) * 2021-05-27 2021-08-27 广联达科技股份有限公司 Enterprise data sharing platform
CN113572794A (en) * 2021-09-27 2021-10-29 江苏荣泽信息科技股份有限公司 Trusted transmission sharing system and method for standing book data
CN113572794B (en) * 2021-09-27 2022-03-29 江苏荣泽信息科技股份有限公司 Trusted transmission sharing system and method for standing book data

Also Published As

Publication number Publication date
CN112118221B (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN112118221B (en) Block chain-based privacy data sharing-oriented capability access control method
CN111488598B (en) Access control method, device, computer equipment and storage medium
US10735202B2 (en) Anonymous consent and data sharing on a blockchain
US8015596B2 (en) Shared credential store
US10263987B2 (en) Techniques for sharing virtual machine (VM) resources
US9209973B2 (en) Delegate authorization in cloud-based storage system
EP1460511B1 (en) Reviewing cached user-group information in connection with issuing a digital rights management (DRM) license for content
CN105516110B (en) Mobile device security data transmission method
US8171558B2 (en) Inter-program authentication using dynamically-generated public/private key pairs
US8990896B2 (en) Extensible mechanism for securing objects using claims
US20120036360A1 (en) System and method establishing trusted relationships to enable secure exchange of private information
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
JP2003022253A (en) Server, information processor, its access control system and method
JP2003228520A (en) Method and system for offline access to secured electronic data
CN103563294A (en) Authentication and authorization methods for cloud computing platform security
JP2003228519A (en) Method and architecture for providing pervasive security for digital asset
JP2010538365A (en) Restricted security tokens that can be transferred
US20040034769A1 (en) Vault controller supervisor and method of operation for managing multiple independent vault processes and browser sessions for users in an electronic business system
US11757877B1 (en) Decentralized application authentication
Fugkeaw Achieving privacy and security in multi-owner data outsourcing
Wise et al. Cloud docs: secure scalable document sharing on public clouds
WO2017008640A1 (en) Method for issuing access token and related device
Miller et al. Security for the Meteor workflow management system
Kaffel-Ben Ayed et al. A generic Kerberos-based access control system for the cloud
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant