CN114329636B - Judicial data access control method, system, equipment and storage medium - Google Patents

Judicial data access control method, system, equipment and storage medium Download PDF

Info

Publication number
CN114329636B
CN114329636B CN202210213700.3A CN202210213700A CN114329636B CN 114329636 B CN114329636 B CN 114329636B CN 202210213700 A CN202210213700 A CN 202210213700A CN 114329636 B CN114329636 B CN 114329636B
Authority
CN
China
Prior art keywords
data
accessed
access
node
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210213700.3A
Other languages
Chinese (zh)
Other versions
CN114329636A (en
Inventor
胡彬梅
孙福辉
张志威
王晓燕
王国仁
袁琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
People's Court Information Technology Service Center
Original Assignee
People's Court Information Technology Service Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by People's Court Information Technology Service Center filed Critical People's Court Information Technology Service Center
Priority to CN202210213700.3A priority Critical patent/CN114329636B/en
Publication of CN114329636A publication Critical patent/CN114329636A/en
Application granted granted Critical
Publication of CN114329636B publication Critical patent/CN114329636B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present disclosure relates to the field of information technology, and in particular, to a method, a system, a device, and a storage medium for controlling access to judicial data. The method comprises the following steps: the method comprises the steps that a client side obtains data to be accessed, determines a first father node in a Mercker hash tree stored on the client side of the data to be accessed, and sends the first father node and the data to be accessed to an access controller in a trusted execution environment; the access controller acquires a second father node of the data to be accessed in a Merckel hash tree from the client and performs first access control on the data to be accessed according to the first father node and the second father node; when the data to be accessed is allowed to be accessed, the trusted execution environment updates the first father node into a trusted Mercker hash tree stored in the trusted execution environment, and when the client acquires the data to be accessed again, the access controller performs second access control on the data to be accessed according to the trusted Mercker hash tree. Through the embodiment, the computing performance and efficiency of access control on judicial data are improved.

Description

Judicial data access control method, system, equipment and storage medium
Technical Field
The present disclosure relates to the field of information technology, and in particular, to a method, a system, a device, and a storage medium for controlling access to judicial data.
Background
Under the background of the era that the global information process is continuously accelerated, judicial systems gradually enter the networked era, and with the development of informatization of the judicial field, how to access and control judicial sensitive data becomes a hot point concerned in the field.
The general idea of the current access control method for judicial sensitive data is to store encrypted hash of data in a trusted location, authorize each time data is updated by a processor at the trusted location, update the data stored at the trusted location, and compare the current state of the data to be accessed by the processor at the trusted location with the stored hash value of the data to determine whether the data is tampered or not when the data is accessed each time. The method for managing the hash value at the credit granting position is to use a merkel hash tree to store the root node of the merkel hash tree at the credit granting position, and the host needs to calculate the hash value of the root node and then compare the hash value with the hash value of the root node stored at the credit granting position during verification. Another approach is to delay memory validation, the key idea being to delay validating a batch of operations rather than validating each operation individually, which, while improving concurrency, may result in transaction commit delays exceeding the application-allowed delays, thereby resulting in operation failures that affect overall performance.
At present, a judicial data access control method is urgently needed, so that the problems of low verification efficiency and poor performance of access control of judicial sensitive data in the prior art are solved.
Disclosure of Invention
In order to solve the problems of low verification efficiency and poor performance of access management of judicial sensitive data in the prior art, embodiments of the present disclosure provide a method, a system, a device, and a storage medium for access control of judicial data, so as to improve the access management efficiency of judicial data.
In order to solve the technical problems, the specific technical scheme is as follows:
in one aspect, embodiments herein provide a method for access control of judicial data, comprising,
the method comprises the steps that a client acquires data to be accessed, determines a first father node in a Mercker hash tree stored on the client of the data to be accessed, and sends the first father node and the data to be accessed to an access controller in a trusted execution environment;
the access controller acquires a second parent node of the data to be accessed in the Mercker hash tree from the client, wherein the second parent node and the first parent node are in the same position in the Mercker hash tree;
the access controller performs first access control on the data to be accessed according to the first father node and the second father node, wherein the first access control comprises the access controller judging whether the first father node and the second father node are the same or not, and if the first father node and the second father node are the same, the access controller allows the data to be accessed;
when access to the data to be accessed is allowed, the trusted execution environment updates the first parent node into a trusted merkel hash tree stored in the trusted execution environment, when the client acquires the data to be accessed again, the client determines the first parent node and sends the first parent node and the data to be accessed to the access controller, so that the access controller performs second access control on the data to be accessed according to the trusted merkel hash tree, the data to be accessed and the first parent node, wherein the second access control comprises the access controller determining a third parent node corresponding to the first parent node in the trusted merkel hash tree, determining whether the third parent node is the same as the first parent node, and if the third parent node is the same as the first parent node, allowing access to the data to be accessed, the trusted Mercker hash tree has the same structure as the Mercker hash tree.
Further, when the data to be accessed is plural, the method further includes,
the method comprises the steps that a client acquires a plurality of data to be accessed, determines a first father node of the data to be accessed in a Mercker hash tree stored on the client, and sends the first father nodes and the data to be accessed to an access controller;
the access controller acquires a fourth father node of the first father nodes in the Mercker hash tree from the client, wherein the fourth father node is a common father node of the first father nodes;
the access controller performs third access control on the plurality of data to be accessed according to the fourth parent node and a plurality of first parent nodes;
wherein the third access control includes the access controller calculating a common parent node of the plurality of first parent nodes according to the merkel hash tree, determining whether the calculated common parent node is the same as the fourth parent node, and if so, allowing access to the plurality of data to be accessed.
Further, the fourth parent node is a common parent node in the merkel hash tree closest to the plurality of first parent nodes.
Further, when the data to be accessed is plural, the method further includes,
the method comprises the steps that a client acquires a plurality of data to be accessed, and a first father node of the data to be accessed in a Mercker hash tree stored on the client is determined;
and the client sends the first father nodes to a plurality of access controllers in the trusted execution environment, so that the access controllers respectively perform first access control on the data to be accessed received respectively.
Further, after the client sends the plurality of first parent nodes to a plurality of access controllers in the trusted execution environment, the method further comprises,
the plurality of access controllers add access tags to the plurality of first parent nodes;
before the first access control is performed on the data to be accessed received by the multiple access controllers respectively, the method further comprises,
and the plurality of access controllers judge whether to perform the first access control on the data to be accessed corresponding to the plurality of first father nodes according to the access marks of the plurality of first father nodes.
Further, the trusted merkel hash tree comprises a plurality of subtrees divided by regions, and the plurality of subtrees correspond to the plurality of access controllers;
updating the first parent node into a trusted merkel hash tree stored in the trusted execution environment further comprises,
and the plurality of access controllers respectively update the first parent nodes corresponding to the data to be accessed, which are received respectively, into the sub-trees which correspond respectively.
Further, after the client acquires the data to be accessed again and determines the first parent node of the data to be accessed in the Merckel hash tree stored on the client, the method also comprises the following steps,
and the client sends the first father node and the data to be accessed to the access controller corresponding to the area of the subtree with the corresponding relation with the area according to the data to be accessed belonging to the area in the merkel hash tree, so that the access controller performs second access control on the data to be accessed according to the corresponding subtree, the data to be accessed and the first father node, wherein the second access control further comprises the access controller determining a third father node corresponding to the first father node in the subtree, and judging whether the third father node is the same as the first father node, and if so, allowing the data to be accessed.
In another aspect, embodiments herein further provide a system for controlling access to judicial data, including a client and an access controller operating in a trusted execution environment;
and when the client and the access controller perform access control on the data to be accessed, executing the method.
In another aspect, embodiments herein also provide a computer device, including a memory, a processor, and a computer program stored on the memory, where the processor implements the above-mentioned method when executing the computer program.
Finally, embodiments herein also provide a computer storage medium having a computer program stored thereon, the computer program, when executed by a processor of a computer device, performing the above-described method.
With the embodiments herein, when a user accesses judicial data, the client first obtains the data that the user wants to access, wherein the data to be accessed may be one or more, then the client determines a first parent node of the data to be accessed in a merkel hash tree stored on the client, then the client sends the first parent node and the data to be accessed to the access controller, the access controller is deployed in a trusted execution environment, thereby ensuring the trustworthiness of the access controller operation through the trusted execution environment, the access controller then retrieves the second parent node in the merkel hash tree stored on the client for the data to be accessed from the client, and then the access controller judges whether the first father node and the second father node are the same, if so, the data to be accessed is not tampered on a path of sending the data to the access controller by the client, and the data to be accessed is allowed to be accessed. The credibility of the credible Mercker tree is guaranteed through the credible execution environment, the access controller does not need to share the same father node of the Mercker Hash tree, only needs to acquire a second father node with the same position as the first father node from the client, and judges whether the second father node is the same as the first father node or not, so that the computing performance of access control on judicial data is improved.
When the first father node and the second father node are judged to be the same, the trusted execution environment updates the first father node into the trusted Mercker Hash number stored in the trusted execution environment, and the credibility of the trusted Mercker tree is guaranteed through the trusted execution environment. When the client receives the data to be accessed again, the client sends the first father node of the data to be accessed and the data to be accessed to the access controller, the access controller searches a third father node corresponding to the data to be accessed in a trusted Mercker hash tree stored in a trusted execution environment, then judges whether the first father node and the third father node are the same, if the first father node and the third father node are the same, the data to be accessed is not tampered, and the data to be accessed is allowed to be accessed, so that the judgment of whether the father node sent by the client is the same as the father node corresponding to the father node in the trusted Mercker hash tree is realized, and the root node of the Mercker hash tree obtained by calculating all the father nodes of the data to be accessed along the path of the Mercker hash tree is not needed, and then the judgment of whether the root node of the trusted Mercker hash tree is the same as the root node of the Mercker hash tree of the client is carried out, therefore, the workload of carrying out access control on the data to be accessed is reduced, and the efficiency of carrying out access control on judicial data is improved.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation system of a judicial data access control method according to an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating a method for controlling access to judicial data according to an embodiment of the present disclosure;
FIG. 3 illustrates a process for performing access control on multiple pieces of data to be accessed in a unified manner according to an embodiment of the present disclosure;
FIG. 4 illustrates a process for access control of multiple data to be accessed in parallel according to an embodiment herein;
FIG. 5 is a block diagram illustrating a judicial data access control system according to an embodiment of the present disclosure;
FIG. 6 is a data flow diagram illustrating an access control system for judicial data according to an embodiment herein;
fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure.
[ description of reference ]:
101. a client;
102. a server;
501. a client;
502. an access controller;
702. a computer device;
704. a processing device;
706. a storage resource;
708. a drive mechanism;
710. an input/output module;
712. an input device;
714. an output device;
716. a presentation device;
718. a graphical user interface;
720. a network interface;
722. a communication link;
724. a communication bus.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below clearly and completely with reference to the drawings in the embodiments of the present invention, and it is obvious that the embodiments described are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments herein without making any creative effort, shall fall within the scope of protection.
It should be noted that the terms "first," "second," and the like in the description and claims herein and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments herein described are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or device.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a schematic diagram of an implementation system of an access control method for judicial data according to an embodiment of the present disclosure, which may include: the client 101 and the server 102, the client 101 stores a plurality of judicial data through the merkel hash tree, each judicial data is a leaf node in the merkel hash tree, a root node calculated by each leaf node along a path of the merkel hash tree can represent a unique identifier of the judicial data corresponding to all the leaf nodes, when the judicial data on any one leaf node is updated, the client recalculates all father nodes of the judicial data according to the updated judicial data and the path of the merkel hash tree, and finally updates the root node of the merkel hash tree. The client 101 may receive a judicial data access request of a user, where the access request includes data to be accessed of the user, the client 101 may communicate with the server 102 through a network, and send the data to be accessed to the server 102, and an access controller deployed on the server 102 performs access control on the data to be accessed in the judicial data access request of the user. The Network in which the client 101 communicates with the server 102 may include a Local Area Network (LAN), a Wide Area Network (WAN), the internet, or a combination thereof, and is connected to websites, user devices (e.g., computing devices), and backend systems.
In addition, it should be noted that fig. 1 shows only one application environment provided by the present disclosure, and in practical applications, other application environments may also be included, for example, access control on medical data of each hospital may also be implemented on the client 101 and the server 102, and this specification is not limited.
The client 101 sends the data to be accessed to the access controller on the server 102 through the network, and the data to be accessed may be tampered during the network transmission process, so that the client 101 cannot determine the security of the data to be accessed, which may result in the theft of judicial data. Therefore, in view of the above situation, the embodiments herein provide a method for controlling access to judicial data, which achieves access control to judicial data and improves computational performance and control efficiency of access control. Fig. 2 is a flowchart illustrating a judicial data access control method according to an embodiment of the present disclosure. The process of access control to judicial data is described in the present figure, but may include more or fewer steps based on routine or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual system or apparatus product executes, it can execute sequentially or in parallel according to the method shown in the embodiment or the figures. Specifically, as shown in fig. 2, the method may include:
step 201: the method comprises the steps that a client side obtains data to be accessed, a first father node in a Merckel hash tree of the data to be accessed stored on the client side is determined, and the first father node and the data to be accessed are sent to an access controller in a trusted execution environment;
step 202: the access controller acquires a second parent node of the data to be accessed in the Mercker hash tree from the client, wherein the second parent node and the first parent node are in the same position in the Mercker hash tree;
step 203: the access controller performs first access control on the data to be accessed according to the first father node and the second father node, wherein the first access control comprises the access controller judging whether the first father node and the second father node are the same or not, and if the first father node and the second father node are the same, the access controller allows the data to be accessed;
step 204: when access to the data to be accessed is allowed, the trusted execution environment updates the first parent node into a trusted merkel hash tree stored in the trusted execution environment, when the client acquires the data to be accessed again, the client determines the first parent node and sends the first parent node and the data to be accessed to the access controller, so that the access controller performs second access control on the data to be accessed according to the trusted merkel hash tree, the data to be accessed and the first parent node, wherein the second access control comprises the access controller determining a third parent node corresponding to the first parent node in the trusted merkel hash tree, determining whether the third parent node is the same as the first parent node, and if the third parent node is the same as the first parent node, allowing access to the data to be accessed, the trusted Mercker hash tree has the same structure as the Mercker hash tree.
By the method of the embodiment, when a user accesses judicial data, a client first acquires data to be accessed by the user, wherein the data to be accessed may be one or more, then the client determines a first parent node in a merkel hash tree in which the data to be accessed is stored on the client, then the client sends the first parent node and the data to be accessed to an access controller, the access controller is deployed in a trusted execution environment, so that the credibility of the operation of the access controller is ensured through the trusted execution environment, then the access controller acquires a second parent node in the merkel hash tree in which the data to be accessed is stored on the client, then the access controller determines whether the first parent node and the second parent node are the same, and if the first parent node and the second parent node are the same, the data to be accessed is not tampered on a path of sending the data to the access controller by the client, and allows access to the data to be accessed. The access controller does not need to share the same father node of the Mercker Hash tree, only needs to acquire a second father node with the same position as the first father node from the client, and judges whether the second father node is the same as the first father node or not, so that the computing performance of access control on judicial data is improved.
When the first father node and the second father node are judged to be the same, the trusted execution environment updates the first father node into the trusted Mercker Hash number stored in the trusted execution environment, and the credibility of the trusted Mercker tree is guaranteed through the trusted execution environment. When the client receives the data to be accessed again, the client sends the first father node of the data to be accessed and the data to be accessed to the access controller, the access controller searches a third father node corresponding to the data to be accessed in a trusted Mercker hash tree stored in a trusted execution environment, then judges whether the first father node and the third father node are the same, if the first father node and the third father node are the same, the data to be accessed is not tampered, and the data to be accessed is allowed to be accessed, so that the judgment of whether the father node sent by the client is the same as the father node corresponding to the father node in the trusted Mercker hash tree is realized, and the root node of the Mercker hash tree obtained by calculating all the father nodes of the data to be accessed along the path of the Mercker hash tree is not needed, and then the judgment of whether the root node of the trusted Mercker hash tree is the same as the root node of the Mercker hash tree of the client is carried out, therefore, the workload of carrying out access control on the data to be accessed is reduced, and the efficiency of carrying out access control on judicial data is improved.
In this embodiment, a plurality of judicial data are stored in the merkel hash tree stored on the client, each judicial data is used as a leaf node in the merkel hash tree, according to the structure of the merkel hash tree, one or more leaf nodes correspond to one parent node, the parent node is a key value record of the code of the judicial data corresponding to the leaf node, a plurality of parent nodes correspond to one root node in the merkel hash tree, when any piece of judicial data is updated, the client calculates the values of the parent nodes corresponding to the leaf nodes of the judicial data along the path of the merkel hash tree, and finally updates the value of the root node of the merkel hash tree. The access controller is located at a far end of the client, the client and the access controller communicate through a network, the access controller is deployed in a trusted execution environment, and since the trusted execution environment may be a secure area within a main processor of the server 102, and the trusted execution environment runs in an independent environment and runs in parallel with an operating system of the server 102, confidentiality and integrity of code and data loaded in the trusted execution environment can be ensured, so that the trustworthiness of the access controller is ensured through the trusted execution environment.
When a client acquires data to be accessed, a first father node of the data to be accessed is calculated according to a Mercker hash tree stored in the client, then the data to be accessed and the first father node are sent to an access controller, the access controller acquires a second father node of the data to be accessed in the Mercker hash tree from the client, if the data to be accessed is not tampered in the data transmission process of the client and the access controller, the first father node and the second father node are the same, otherwise, the first father node and the second father node are different, when the access controller judges that the first father node and the second father node are the same, the data to be accessed is allowed to be accessed, meanwhile, a trusted execution environment updates the first father node into the trusted Mercker hash tree stored in the trusted execution environment, because the trusted Mercker hash tree is stored in the trusted execution environment, thereby ensuring the trustworthiness of the trusted merkel hash number. When the client acquires the data to be accessed again, the client sends the data to be accessed and the father node corresponding to the data to be accessed in the Mercker hash tree to the access controller, the access controller determines a third father node corresponding to the data to be accessed in the credible Mercker hash tree, if the data to be accessed is not tampered, the third father node is the same as the first father node, otherwise, the third father node is different from the first father node. When the access controller judges that the third parent node is the same as the first parent node, the access controller allows the access to the data to be accessed.
It should be noted that, after the access controller in the trusted execution environment determines that the first parent node is the same as the second parent node, the access controller may update the first parent node into the trusted mercker hash tree, or other processors in the trusted execution environment may update the first parent node into the trusted mercker hash tree, which is not limited in this embodiment.
When the client receives a batch of data to be accessed, the client needs to send each piece of data to be accessed and a first father node of the data to be accessed to the access controller, and if the access controller obtains a second father node of each piece of data to be accessed from the client, and judges whether each first father node and each second father node are the same, the efficiency of access control will be reduced. Therefore, to solve the above-mentioned problem, according to one embodiment herein, as shown in fig. 3, when the data to be accessed is plural, the method further includes,
step 301: the method comprises the steps that a client acquires a plurality of data to be accessed, determines a first father node of the data to be accessed in a Merckel hash tree stored on the client, and sends the first father nodes and the data to be accessed to an access controller;
step 302: the access controller acquires a fourth father node of the first father nodes in the Merckel hash tree from the client, wherein the fourth father node is a common father node of the first father nodes;
step 303: and the access controller performs third access control on the plurality of data to be accessed according to the fourth father node and the plurality of first father nodes, wherein the third access control comprises the access controller calculating a common father node of the plurality of first father nodes according to the Mercker hash tree, judging whether the calculated common father node is the same as the fourth father node, and if so, allowing the plurality of data to be accessed.
In this embodiment, the client may acquire a plurality of pieces of data to be accessed simultaneously, then determine a first parent node of each piece of data to be accessed according to the merkel hash tree, and simultaneously send the plurality of pieces of data to be accessed and the corresponding plurality of first parent nodes to the access controller.
After receiving the multiple pieces of data to be accessed and the corresponding first father nodes, the access controller obtains a common father node corresponding to the multiple pieces of data to be accessed from the client, specifically, after receiving a request for obtaining the common father node sent by the access controller, the client searches for the common father node of the multiple pieces of data to be accessed as a fourth father node along a path of the merkel hash tree, where the fourth father node may be an intermediate father node in the merkel hash tree or a root node of the merkel hash tree. And after receiving the fourth father node, the access controller calculates a common father node of the first father nodes according to the path of the Mercker Hash tree, if the data to be accessed sent by the client is not tampered, the fourth father node acquired by the access controller is the same as the calculated common father node, otherwise, if any data to be accessed in the data to be accessed sent by the client is tampered, the fourth father node acquired by the access controller is different from the calculated common father node. When the access controller judges that the common parent node calculated is the same as the fourth parent node, access to a plurality of data to be accessed is permitted.
In this embodiment, since the fourth parent node may be a parent node on the path of the mercker hash tree or a root node of the mercker hash tree, when the fourth parent node is the root node of the mercker hash tree, the access controller needs to calculate the parent nodes of the plurality of first parent nodes along the path of the mercker hash tree until the root node is obtained, which increases the calculation amount of the access controller and reduces the efficiency of the access control, and therefore, in order to reduce the calculation amount of the access controller, according to an embodiment herein, the fourth parent node is a common parent node closest to the plurality of first parent nodes in the mercker hash tree.
In this embodiment, when the fourth parent node is a common parent node closest to the plurality of first parent nodes in the merkel hash tree, the access controller only needs to calculate the common parent node closest to the plurality of first parent nodes along the path of the merkel hash tree, and does not need to calculate the root node of the merkel hash tree, so that the calculation amount of the access controller is reduced, and the efficiency of access control is improved.
According to an embodiment of the present disclosure, in order to improve the parallelism of access control when the client obtains a plurality of access data, as shown in fig. 4, when the data to be accessed is a plurality of data, the method further includes,
step 401: the method comprises the steps that a client acquires a plurality of data to be accessed, and a first father node of the data to be accessed in a Mercker hash tree stored on the client is determined;
step 402: and the client sends the first father nodes to a plurality of access controllers in the trusted execution environment, so that the access controllers respectively perform first access control on the data to be accessed received respectively.
In the embodiment, the trusted execution environment may further include a plurality of access controllers, and each access controller may work independently. When a client acquires a plurality of pieces of data to be accessed, a first father node of each piece of data to be accessed in a Mercker hash tree is determined, then the plurality of pieces of data to be accessed and the corresponding plurality of first father nodes are sent to a plurality of access controllers (it can be understood that one piece of data to be accessed and the first father node of the piece of data to be accessed are sent to one access controller together), then the access controller acquires a second father node of the piece of data to be accessed received by the client, then judges whether the first father node received by the client is the same as the acquired second father node, and if the first father node and the acquired second father node are the same, the access to the piece of data to be accessed is allowed. The plurality of access controllers execute the steps in parallel to perform access control on the data to be accessed, so that the parallelism of the access control is improved, and the efficiency of the access control is improved.
In this embodiment, since the multiple access controllers perform access control on the multiple pieces of data to be accessed in parallel, when the client receives the same piece of data to be accessed multiple times sequentially, the situation of performing multiple access control on the same piece of data to be accessed may occur, resulting in waste of computing resources. Thus, according to one embodiment herein, after the client sends the plurality of first parent nodes to a plurality of access controllers in the trusted execution environment, the method further comprises,
the plurality of access controllers add access tags to the plurality of first parent nodes;
before the first access control is performed on the data to be accessed received by the multiple access controllers respectively, the method further comprises,
and the plurality of access controllers judge whether to perform the first access control on the data to be accessed corresponding to the plurality of first parent nodes according to the access marks of the plurality of first parent nodes.
In this embodiment, the type of the access flag may be a timestamp, when the access controller receives the first parent node, the access controller records a current time on the first parent node, which indicates that the access control has been performed on the data to be accessed, before the multiple access controllers perform the first access control on the data to be accessed respectively received, each access controller first determines whether the received first parent node has performed the access control, specifically, the access controller may determine whether the received first parent node has a timestamp marked thereon, and if so, determines that the first parent node has performed the access control, and the access controller does not perform the access control on the data to be accessed any more. In addition, in order to avoid that access control cannot be performed on the data to be accessed again if the timestamp is marked on the corresponding first parent node after the data to be accessed is updated, an effective time may be set for the timestamp marked on the first parent node, if the access controller receives the first parent node, a marking duration of the timestamp is calculated according to the timestamp of the first parent node and the current time of the access controller, and if the marking duration exceeds the effective time, the timestamp of the first parent node is considered to be invalid, and the access controller continues to perform access control on the data to be accessed. In addition, the type of the access flag may also be a flag state (flag), the access controller may determine whether the received first parent node is in the flag state (flag), if so, it is determined that the first parent node has already performed access control, and the access controller does not perform access control on the data to be accessed any more.
According to one embodiment herein, the trusted merkel hash tree may further include a plurality of regionally partitioned sub-trees corresponding to the plurality of access controllers;
updating the first parent node into a trusted merkel hash tree stored in the trusted execution environment further comprises,
the plurality of access controllers respectively update the first parent nodes corresponding to the received data to be accessed into the sub-trees corresponding to the first parent nodes.
In this embodiment, the trusted mercker hash tree stored in the trusted execution environment and the mercker coefficient stored in the client have the same structure, the trusted mercker hash tree may be divided into a plurality of regions according to the structure of the trusted mercker hash tree or the mercker hash tree, each region includes a number of judicial data, then according to the region divided by the trusted mercker hash tree, the trusted mercker hash tree is divided into a plurality of subtrees, each subtree includes a leaf node corresponding to the judicial data of the region and a parent node corresponding to each leaf node, and the plurality of subtrees correspond to the plurality of access controllers, it can be understood that one subtree corresponds to one access controller, and each access controller maintains its corresponding subtree.
When the access controller performs first access control on the data to be accessed received by the access controller, if the result of the access control is that the data to be accessed is allowed to be accessed, the access controller updates a first parent node corresponding to the data to be accessed into a corresponding sub-tree, so that when the client acquires the data to be accessed again, the access controller performs second access control on the data to be accessed according to the corresponding sub-tree.
In this embodiment, when multiple access controllers are deployed in the trusted execution environment, each access controller maintains a respective sub-tree, and in order to improve the efficiency of performing second access control on data to be accessed, the client may send the data to be accessed belonging to the same sub-tree and a first parent node corresponding to the data to be accessed to the access controller that maintains the sub-tree. Therefore, according to one embodiment herein, after the client acquires the data to be accessed again and determines that the data to be accessed is at the first parent node in the merkel hash tree stored on the client, the method further includes:
and the client sends the first father node and the data to be accessed to the access controller corresponding to the area of the subtree with the corresponding relation with the area according to the data to be accessed belonging to the area in the merkel hash tree, so that the access controller performs second access control on the data to be accessed according to the corresponding subtree, the data to be accessed and the first father node, wherein the second access control further comprises the access controller determining a third father node corresponding to the first father node in the subtree, and judging whether the third father node is the same as the first father node, and if so, allowing the data to be accessed.
In the embodiment, the client determines a region of the data to be accessed in the merkel hash tree, then sends the data to be accessed to the access controller corresponding to the region of the subtree having a corresponding relationship with the region, and then the access controller determines a third parent node of the data to be accessed in the subtree corresponding to the access controller, wherein the third parent node is the same as the first parent node in position in the merkel hash tree, if the data to be accessed is not tampered, the first parent node is the same as the third parent node, otherwise, the third parent node is different from the first parent node, and therefore, when the access controller determines that the third parent node is the same as the first parent node, the data to be accessed is allowed to be accessed.
By the method, the access controllers maintain one sub-tree respectively, the client sends the data to be accessed belonging to the region of the merkel hash tree where the sub-tree is located and the first parent node of the data to be accessed to the access controller, the access controller can determine the third parent node of the data to be accessed in the corresponding sub-tree, and the access controller does not need to determine the third parent node of the data to be accessed in the complete credible merkel hash tree. Because the subtree is a part of the credible Mercker hash tree, the time for traversing the subtree is less than the time for traversing the complete credible Mercker hash tree, thereby improving the efficiency of the access controller for performing second access control on the data to be accessed.
Based on the same inventive concept, the embodiment of the present specification further provides an access control system for judicial data, as shown in fig. 5, including a client 501 and an access controller 502, where the access controller 502 operates in a trusted execution environment. Further, when the client 501 and the access controller 502 perform access control on the data to be accessed, the method described above is executed.
The beneficial effects obtained by the system are consistent with those obtained by the method, and the embodiments of the present description are not repeated.
Fig. 6 is a data flow diagram of an access control system for judicial data according to the embodiment of the present invention, and the specific process is as follows:
step 601: the client acquires data to be accessed;
in this step, the client may receive a judicial data access request of the user, where the access request includes data to be accessed of the user, and exemplarily, one access request of the user may include one or more data to be accessed.
Step 602: the client determines a first parent node in a merkel hash tree stored on the client for accessing data;
in this step, a plurality of judicial data are stored in the merkel hash tree stored on the client, each judicial data is used as a leaf node in the merkel hash tree, and the client determines a father node of the leaf node according to the leaf node of the data to be accessed in the merkel hash tree, so as to obtain a first father node.
Step 603: the client sends the first father node and the data to be accessed to the access controller;
in step (b), the access controller is deployed in a trusted execution environment, whereby the trustworthiness of the access controller operation is ensured.
Step 604: the access controller acquires a second father node of the data to be accessed in the Mercker hash tree from the client;
in this step, the access controller may obtain, according to a leaf node of the data to be accessed in the merkel hash tree, a parent node of the leaf node as a second parent node, where the second parent node is located at the same position as the first parent node in the merkel hash tree.
Step 605: the client provides a second parent node;
step 606: the access controller judges whether the first father node is the same as the second father node or not, and if so, the access to the data to be accessed is allowed;
in this step, if the data to be accessed is not tampered in the data transmission process between the client and the access controller, the first parent node and the second parent node should be the same, otherwise, the first parent node and the second parent node are different, and when the access controller determines that the first parent node and the second parent node are the same, the data to be accessed is allowed to be accessed.
In addition, in some other embodiments herein, when the client receives a batch of data to be accessed, in order to improve efficiency of access control, after receiving multiple data to be accessed and their corresponding first parent nodes, the access controller obtains a common parent node corresponding to the received multiple data to be accessed from the client, specifically, after receiving a request sent by the access controller to obtain the common parent node, the client searches for multiple common parent nodes of data to be accessed as a fourth parent node along a path of the merkel hash tree, where the fourth parent node may be an intermediate parent node in the merkel hash tree or a root node of the merkel hash tree. And after receiving the fourth father node, the access controller calculates a common father node of the first father nodes according to the path of the Mercker Hash tree, if the data to be accessed sent by the client is not tampered, the fourth father node acquired by the access controller is the same as the calculated common father node, otherwise, if any data to be accessed in the data to be accessed sent by the client is tampered, the fourth father node acquired by the access controller is different from the calculated common father node. When the access controller judges that the common parent node calculated is the same as the fourth parent node, access to a plurality of data to be accessed is permitted.
In addition, in some other embodiments herein, a plurality of access controllers operating in parallel may be further included, and when a client acquires a plurality of pieces of data to be accessed, a first parent node of each piece of data to be accessed in the merkel hash tree is first determined, then the plurality of pieces of data to be accessed and a corresponding plurality of first parent nodes are sent to the plurality of access controllers (it may be understood that one piece of data to be accessed and the first parent node of the piece of data to be accessed are sent to one access controller together), then the access controller acquires a second parent node of the piece of data to be accessed, which is received by the access controller, from the client, and then determines whether the first parent node received by the access controller is the same as the acquired second parent node, and if so, the access to the piece of data to be accessed is allowed. The plurality of access controllers execute the steps in parallel to perform access control on the data to be accessed, so that the parallelism of the access control is improved, and the efficiency of the access control is improved.
Step 607: the access controller updates the first father node to a credible Mercker hash tree;
in this step, when the access controller allows access to the data to be accessed, the access controller can update the first parent node into the trusted mercker hash number stored in the trusted execution environment, so that the trusted mercker tree can be guaranteed to be trusted by the trusted execution environment.
It should be noted that the access controller may update the first parent node into the trusted mercker hash tree, or may update the first parent node into the trusted mercker hash tree by another processor in the trusted execution environment, which is not limited in this embodiment.
When the client acquires the data to be accessed again, the client determines a first father node and sends the first father node and the data to be accessed to the access controller, so that the access controller performs second access control on the data to be accessed according to the credible Mercker Hash tree, the data to be accessed and the first father node.
Step 608: the client acquires the data to be accessed again;
in this step, the data to be accessed acquired again by the client is the same as the data to be accessed corresponding to the first parent node updated to the trusted mercker hash tree in step 607, and at this time, the access controller may perform access control on the data to be accessed according to the trusted mercker hash tree updated in step 607.
Step 609: the client determines a first father node in a Mercker hash tree of the data to be accessed, and sends the first father node and the data to be accessed to the access controller;
step 610: the access controller determines a third parent node corresponding to the first parent node in the trusted merkel hash tree for accessing the data;
in this step, the access controller determines a third parent node corresponding to the data to be accessed in the trusted merkel hash tree, and if the data to be accessed is not tampered, the third parent node is the same as the first parent node, otherwise, the third parent node is different from the first parent node.
Step 611: the access controller judges whether the third father node is the same as the first father node, and if so, the access to the data to be accessed is allowed.
As shown in fig. 7, which is a schematic structural diagram of a computer device in this embodiment, the client 501 or the access controller 502 in this embodiment may be a computer device in this embodiment, and perform the method in this embodiment. Computer device 702 may include one or more processing devices 704, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 702 may also include any storage resources 706 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, the storage resources 706 may include any one or more of the following in combination: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any storage resource may use any technology to store information. Further, any storage resource may provide volatile or non-volatile reservation of information. Further, any storage resources may represent fixed or removable components of computer device 702. In one case, when the processing device 704 executes associated instructions that are stored in any storage resource or combination of storage resources, the computer device 702 can perform any of the operations of the associated instructions. The computer device 702 also includes one or more drive mechanisms 708, such as a hard disk drive mechanism, an optical disk drive mechanism, or the like, for interacting with any storage resource.
Computer device 702 can also include an input/output module 710 (I/O) for receiving various inputs (via input device 712) and for providing various outputs (via output device 714). One particular output mechanism may include a presentation device 716 and an associated Graphical User Interface (GUI) 718. In other embodiments, input/output module 710 (I/O), input device 712, and output device 714 may also not be included, as only one computer device in a network. Computer device 702 can also include one or more network interfaces 720 for exchanging data with other devices via one or more communication links 722. One or more communication buses 724 couple the above-described components together.
Communication link 722 may be implemented in any manner, such as over a local area network, a wide area network (e.g., the Internet), a point-to-point connection, etc., or any combination thereof. Communication link 722 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.
It should be noted that, when the access controller 502 implements the method described in this embodiment for the computer device 702 described in this embodiment, the presentation device 716 and the associated Graphical User Interface (GUI) 718 may not be included. Such as a computer minimal system consisting of only the processing device 704, the storage resource 706, and the network interface 720.
Corresponding to the methods in fig. 2-4 and 6, the embodiments herein also provide a computer-readable storage medium having a computer program stored thereon, where the computer program is executed by a processor to perform the above steps.
Embodiments herein also provide a computer readable instruction, wherein when the instruction is executed by a processor, the program causes the processor to execute the method as shown in fig. 2-4, 6.
It should be understood that, in various embodiments herein, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments herein.
It should also be understood that, in the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, meaning that three kinds of relations may exist. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided herein, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical functional division, and other divisions may be realized in practice, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purposes of the embodiments herein.
In addition, functional units in the embodiments herein may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present invention may be implemented in a form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The principles and embodiments of the present disclosure are explained in detail by using specific embodiments, and the above description of the embodiments is only used to help understanding the method and its core idea; meanwhile, for the general technical personnel in the field, according to the idea of this document, there may be changes in the concrete implementation and the application scope, in summary, this description should not be understood as the limitation of this document.

Claims (10)

1. A method for controlling access to judicial data, said method comprising,
the method comprises the steps that a client side obtains data to be accessed, a first father node in a Merckel hash tree of the data to be accessed stored on the client side is determined, and the first father node and the data to be accessed are sent to an access controller in a trusted execution environment;
the access controller acquires a second parent node of the data to be accessed in the Mercker hash tree from the client, wherein the second parent node and the first parent node are in the same position in the Mercker hash tree;
the access controller performs first access control on the data to be accessed according to the first father node and the second father node, wherein the first access control comprises the step that the access controller judges whether the first father node and the second father node are the same or not, and if the first father node and the second father node are the same, the access controller allows the data to be accessed;
when the access to the data to be accessed is allowed, the trusted execution environment updates the first parent node into a trusted Mercker hash tree stored in the trusted execution environment, when the data to be accessed obtained again by the client is the same as the data to be accessed corresponding to the first parent node in the trusted Mercker hash tree stored in the trusted execution environment, the client determines the first parent node and sends the first parent node and the data to be accessed obtained again to the access controller, so that the access controller performs second access control on the data to be accessed obtained again according to the trusted Mercker hash tree, the data to be accessed obtained again and the first parent node, wherein the second access control comprises the fact that the access controller determines that the data to be accessed obtained again is corresponding to the first parent node in the trusted Mercker hash tree And a third father node, and determining whether the third father node is the same as the first father node, if so, allowing access to the data to be accessed acquired again, wherein the trusted merkel hash tree and the merkel hash tree have the same structure.
2. The judicial data access control method according to claim 1, wherein when the data to be accessed is plural, the method further comprises,
the method comprises the steps that a client acquires a plurality of data to be accessed, determines a first father node of the data to be accessed in a Mercker hash tree stored on the client, and sends the first father nodes and the data to be accessed to an access controller;
the access controller acquires a fourth father node of the first father nodes in the Mercker hash tree from the client, wherein the fourth father node is a common father node of the first father nodes;
and the access controller performs third access control on the plurality of data to be accessed according to the fourth father node and the plurality of first father nodes, wherein the third access control comprises the access controller calculating a common father node of the plurality of first father nodes according to the merkel hash tree, judging whether the calculated common father node is the same as the fourth father node, and if so, allowing the plurality of data to be accessed.
3. The access control method of judicial data according to claim 2, wherein said fourth parent node is a common parent node in said merkel hash tree closest to said plurality of first parent nodes.
4. The judicial data access control method according to claim 1, wherein when the data to be accessed is plural, the method further comprises,
the method comprises the steps that a client acquires a plurality of data to be accessed, and a first father node of the data to be accessed in a Mercker hash tree stored on the client is determined;
and the client sends the first father nodes to a plurality of access controllers in the trusted execution environment, so that the access controllers respectively perform first access control on the data to be accessed received respectively.
5. The method of access control of judicial data of claim 4, wherein, after the client sends the plurality of first parent nodes to a plurality of access controllers in the trusted execution environment, the method further comprises,
the plurality of access controllers add access indicia to the plurality of first parent nodes;
before the first access control is performed on the data to be accessed received by the multiple access controllers respectively, the method further comprises,
and the plurality of access controllers judge whether to perform the first access control on the data to be accessed corresponding to the plurality of first parent nodes according to the access marks of the plurality of first parent nodes.
6. The access control method of judicial data according to claim 4, wherein the trusted Mercker Hash Tree comprises a plurality of sub-trees partitioned by regions, the plurality of sub-trees corresponding to the plurality of access controllers;
updating the first parent node into a trusted merkel hash tree stored in the trusted execution environment further comprises,
the plurality of access controllers respectively update the first parent nodes corresponding to the received data to be accessed into the sub-trees corresponding to the first parent nodes.
7. The method according to claim 6, wherein when the data to be accessed acquired again by the client is the same as the data to be accessed corresponding to the first parent node in the trusted Mercker Hash Tree stored in the trusted execution environment, after determining that the data to be accessed acquired again is the first parent node in the Mercker Hash Tree stored on the client, the method further comprises,
the client sends the first father node and the obtained data to be accessed again to the access controller corresponding to the area of the subtree corresponding to the area according to the condition that the obtained data to be accessed again belongs to the area in the Mercker hash tree, so that the access controller performs the second access control on the reacquired data to be accessed according to the corresponding sub-tree, the reacquired data to be accessed and the first parent node, wherein the second access control further comprises the access controller determining that the reacquired data to be accessed corresponds to the third parent node in the subtree that is the first parent node, and judging whether the third father node is the same as the first father node or not, and if so, allowing access to the data to be accessed acquired again.
8. The judicial data access control system is characterized by comprising a client and an access controller working in a trusted execution environment;
the client and the access controller execute the method according to any one of claims 1 to 7 when performing access control on the data to be accessed.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory, wherein the computer program, when executed by the processor, performs the instructions of the method of any one of claims 1-7.
10. A computer storage medium on which a computer program is stored, characterized in that the computer program, when being executed by a processor of a computer device, executes instructions of a method according to any one of claims 1-7.
CN202210213700.3A 2022-03-04 2022-03-04 Judicial data access control method, system, equipment and storage medium Active CN114329636B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210213700.3A CN114329636B (en) 2022-03-04 2022-03-04 Judicial data access control method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210213700.3A CN114329636B (en) 2022-03-04 2022-03-04 Judicial data access control method, system, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114329636A CN114329636A (en) 2022-04-12
CN114329636B true CN114329636B (en) 2022-05-20

Family

ID=81031286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210213700.3A Active CN114329636B (en) 2022-03-04 2022-03-04 Judicial data access control method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114329636B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175840A (en) * 2019-04-19 2019-08-27 华中科技大学 Method, client, alliance's chain and the system of light wallet mechanism are realized in alliance's chain
CN110599346A (en) * 2019-09-20 2019-12-20 腾讯科技(深圳)有限公司 Block chain information acquisition method and related equipment
CN113901395A (en) * 2021-12-06 2022-01-07 深圳市名竹科技有限公司 Data processing method, data processing device, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10992459B2 (en) * 2019-08-30 2021-04-27 Advanced New Technologies Co., Ltd. Updating a state Merkle tree

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175840A (en) * 2019-04-19 2019-08-27 华中科技大学 Method, client, alliance's chain and the system of light wallet mechanism are realized in alliance's chain
CN110599346A (en) * 2019-09-20 2019-12-20 腾讯科技(深圳)有限公司 Block chain information acquisition method and related equipment
CN113901395A (en) * 2021-12-06 2022-01-07 深圳市名竹科技有限公司 Data processing method, data processing device, computer equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
可信计算平台委托机制的分析与改进;黄宁玉 等;《武汉大学学报 信息科学版》;20100531;第35卷(第5期);599-602 *
基于Merkle哈希树的范围查询验证技术;赵蒙 等;《东南大学学报(自然科学版)》;20171130;第47卷;118-122 *

Also Published As

Publication number Publication date
CN114329636A (en) 2022-04-12

Similar Documents

Publication Publication Date Title
US10706037B2 (en) Non-blocking processing of federated transactions for distributed data partitions
US11126605B2 (en) System and method for clustering distributed hash table entries
US11544154B2 (en) Systems and methods for monitoring distributed database deployments
US11663227B2 (en) Generating a subquery for a distinct data intake and query system
US10528537B2 (en) System and method for fetching the latest versions of stored data objects
Pfaff et al. The open vswitch database management protocol
US8082294B2 (en) Methods and systems for providing web applications
US8250102B2 (en) Remote storage and management of binary object data
US10606709B1 (en) Method and system for intelligently load balancing database backup operations in information technology environments
CN108073823B (en) Data processing method, device and system
US10747749B2 (en) Methods and systems for managing distributed concurrent data updates of business objects
CN114616557A (en) Supporting blockchain collections in databases
US8087015B2 (en) Assignment of application models to deployment targets
US20180322301A1 (en) Commit and rollback of data streams provided by partially trusted entities
CN112651001A (en) Access request authentication method, device, equipment and readable storage medium
CN114329636B (en) Judicial data access control method, system, equipment and storage medium
US11544069B2 (en) Universal pointers for data exchange in a computer system having independent processors
Pfaff Rfc 7047: The open vswitch database management protocol
CN107085681B (en) Robust computing device identification framework
WO2020144816A1 (en) History management device, search processing device, history management method, search processing method, and program
US7269610B2 (en) System and method to observe user behavior and perform actions introspectable objects
US20180139198A1 (en) Key based authorization for programmatic clients
CN114217899B (en) Data persistence method, device, electronic equipment and storage medium
CN114238008A (en) Data acquisition method, device and system, electronic equipment and storage medium
CN114579611A (en) Data parallel query method and device for cross-link system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant