CN115529136B - Internet of things-oriented lightweight blockchain design method based on attribute access control - Google Patents
Internet of things-oriented lightweight blockchain design method based on attribute access control Download PDFInfo
- Publication number
- CN115529136B CN115529136B CN202210983502.5A CN202210983502A CN115529136B CN 115529136 B CN115529136 B CN 115529136B CN 202210983502 A CN202210983502 A CN 202210983502A CN 115529136 B CN115529136 B CN 115529136B
- Authority
- CN
- China
- Prior art keywords
- block
- data
- hash
- node
- contract
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000013461 design Methods 0.000 title claims abstract description 19
- 238000012795 verification Methods 0.000 claims description 31
- 238000011217 control strategy Methods 0.000 claims description 13
- 238000004806 packaging method and process Methods 0.000 claims description 7
- 230000009471 action Effects 0.000 claims description 4
- 230000006399 behavior Effects 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000007599 discharging Methods 0.000 abstract description 3
- 230000000875 corresponding effect Effects 0.000 description 39
- 230000008569 process Effects 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 6
- 230000003044 adaptive effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 239000004744 fabric Substances 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an Internet of things-oriented lightweight block chain design method based on attribute access control. Firstly, each Internet of things device obtains a unique identification ID, and collected data generates a data ID by hash; the equipment combines the attribute to complete the generation of the access strategy to the data; the main body block comprises the current time, a set ID and a data ID, an access strategy, a device digital signature and block discharging difficulty; each node verifies the digital signature based on the broadcasted block Hash; any node can finish the generation of the block Hash which finally meets the block-out difficulty in a simple mode; the block Hash comprises the generation of a front block Hash completion chain; the block chain performs functions such as block uplink, block inquiry, authentication, policy management and the like by calling contracts. The method can realize legal access and efficient acquisition of the data of the Internet of things under a low-resource scene, provide complete and controllable and safe management of the data, trace source of access records and punishment of illegal access, and has the characteristics of high safety and low cost.
Description
Technical Field
The invention relates to an Internet of things-oriented lightweight block chain design method based on attribute access control, and belongs to the technical field of block chains.
Background
With the rapid development of modern information technology, people are moving to the worldwide interconnecting age, and the internet of things (Internet of Things, ioT) is a key technology. The internet of things is used for communicating a large number of sensors capable of sensing external environments and intelligent equipment through the internet and other network modes so as to complete different tasks. It is estimated that by 2025, the internet of things device will generate data of about 90ZB worldwide. The rapid development of the internet of things greatly promotes the global informatization process, but the safety problem of the traditional internet of things is particularly outstanding due to the equipment diversity, resource limitation and data privacy of the traditional internet of things. With the popularization of the internet of things, too much data and devices are exposed in the network, and how to protect the limited devices and the security of the data of the internet of things becomes critical.
Access control controls access to internet of things data and device resource services by executing rules defined in corresponding security policies to prevent actions that may cause security violations, so access control is a key technology to address internet of things data and device security. Related studies have shown that the attribute-based access control model (Attribute Based Access Control, ABAC) is most suitable for the internet of things compared to other conventional access control models. ABAC grants access control to a resource (guest) by an attribute, i.e., by a subject, guest, environment, and pre-allocated request operations defined by an authority. Thus, it has the ability to provide more flexible, secure and fine-grained access control for each internet of things device. However, the distributed architecture of the internet of things is not suitable for an access control mechanism granted access rights by one centralized entity.
In recent years, some research applications apply blockchain technology to achieve distributed access control of the internet of things. Blockchains are a distributed, untrusted point-to-point network in which data (e.g., transaction information) is stored in blocks through a consensus mechanism and linked in turn through hash digests, where each node is equal to each other and owns all of the entire data in the blockchain network. Realizing blockchain-based access control through intelligent contracts (executable code in a blockchain) can ensure the security of internet of things distributed devices and data, but the computational and storage overhead involved is not acceptable for resource-limited internet of things devices. The existing blockchain platform is subjected to intensive research, and the problems of high resource consumption, difficult expansion and the like are mostly found, so that the existing blockchain platform cannot be adapted to the current limited Internet of things scene, and therefore the lightweight blockchain oriented to the Internet of things is designed by simplifying the blockcontents and optimizing the consensus algorithm. An access control model based on attributes is introduced on the basis, and an ABAC model based on intelligent contracts is tried to be realized to realize high-security and fine-grained control of resources and equipment of the Internet of things.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an Internet of things-oriented lightweight blockchain design method based on attribute access control, so as to solve the problem of attribute access control centralized authorization unsuitable in an Internet of things scene, realize legal access and efficient acquisition of data in an Internet of things low-resource scene, provide complete controllability and safety management of the data, and provide tracing of access records and punishment of illegal access.
The technical scheme of the invention is as follows: an Internet of things-oriented lightweight blockchain design method based on attribute access control. Firstly, obtaining a device unique identifier ID by normalizing the serial number of terminal devices of the Internet of things, then carrying out Hash processing according to acquired data to obtain data Hash, and storing the data Hash into a couchdb database in a key value pair mode; secondly, packaging a current timestamp, a device ID, a generated data Hash, an access control strategy corresponding to the data, a data signature of the device and block-out difficulty into an integral block, calculating a block Hash value, broadcasting the block Hash value to each node, and storing the block Hash value into a couchdb database in a key value pair mode; acquiring data based on a couchdb database after acquiring the block Hash by multiple nodes, verifying whether the equipment and the corresponding digital signature are legal or not, acquiring a final block Hash meeting the block-out difficulty by a random serialization random number mode if the equipment and the corresponding digital signature are legal based on the set block-out difficulty, verifying by other nodes by broadcasting the random number which accords with the block-out difficulty and based on the random serialization, and finishing verification to determine the final block Hash; the functions of block uplink, block inquiry, identity verification, strategy management and the like can be performed by calling contracts, and the block validity verification is completed on the blocks on the chain by inquiring whether the block Hash is consistent with the block Hash of the block Hash before and after the block Hash is inquired, so that the generation of a novel block chain is determined.
As a further scheme of the invention, the method comprises the following specific steps:
step1, normalizing internet of things equipment, and preprocessing and storing acquired data;
step2, generating an access control strategy based on the attribute by utilizing the data and equipment in the Step 1;
step3, combining the data with the equipment identification information, a time stamp and the like to generate a basic block and a corresponding hash value;
step4, the multi-node acquires the block hash value through broadcasting to verify the validity of the data, and judges whether the data is legal or not;
step5, the node calculates the hash of the final block by itself to meet the requirement of difficulty, broadcasts the random number, and calls the contract to complete the block uplink after multi-node verification;
step6, the node can finish the functions of querying data in the block, verifying identity, managing strategies and the like based on the intelligent contract;
step7, finally carrying out chain concatenation on the blocks after block validity verification by hashing before and after the blocks so as to finish the generation of block chains.
As a further scheme of the invention, the Step2 comprises the following specific steps:
step2.1, the device generates an identification Hash for the data as a data owner;
step2.2, setting an access control policy as a quadruple < policy ID, subject, object, operation >;
step2.3, describing a subject and an object in a tree structure, namely, parent node and child node information of the subject, parent node and child node information of the object, wherein a root node is an administrator, no parent node exists, and the child node comprises a user and terminal equipment;
step2.4, operations include generating C, reading R, updating U and deleting D, described as action= (C R U D), describing specific behaviors in terms of "0" and "1" and finally storing in hexadecimal; the operation is stored in hexadecimal form, the authority and strategy can be matched only by bit-wise AND operation in the matching process, and the legitimacy judgment can be finished by comparing the authority and strategy with the specific value, so that the CPU consumption in the process is low, the resource consumption can be greatly reduced, and the matching effect is achieved;
step2.5, incrementally generating a policy ID in the storage policy and storing it in the form of a string and a number.
As a further scheme of the invention, the Step3 comprises the following specific steps:
step3.1, setting a function Date (). Format ("yyyy-MM-dd HH: MM: ss") to be a current timestamp generated for the block;
step3.2, setting a device ID and a data Hash, and generating a digital signature which is based on a device private key for the data Hash;
step3.3, setting an access control strategy ID corresponding to the data Hash;
step3.4, set the block-out difficulty nBits as an integer within the range of [0,255] for final block hash calculation and verification
Step3.5, integrating the timestamp, the device ID, the data Hash, the strategy ID, the signature of the device on the data and the block-out difficulty nBits together, and packaging the integrated data into a data block; the block size is controlled by simplifying the content of the block, the bandwidth and storage requirements in the transmission and storage processes are low, the resource consumption can be greatly reduced, and the data security guarantee is provided;
as a further scheme of the invention, the Step5 specifically comprises the following steps:
step5.1, obtaining a current block Hash by a multi-node based on broadcasting, inquiring and determining the current block out difficulty nBits;
step5.2, initializing a random value n by each node, and calculating a final block Hash by modifying the random value n to ensure that the previous nBits bits are all 0; by improving the traditional consensus algorithm, the method can be verified in experiments that the generation time consumption of each 100 blocks can be reduced by 18.37% under the condition that the difficulty is 5, namely the time consumption can be well reduced by optimizing the consensus algorithm in the aspect of block discharging time consumption, and the problem of high block discharging time consumption of a block chain is solved;
step5.3, a certain node calculates a random value this.n which satisfies that the previous nBits bits are 0, and broadcasts the value n and the obtained final block Hash;
step5.4, all other nodes verify whether the is.n meets the requirement;
step5.5, meeting the requirement, all nodes package the block Hash, the previous block Hash and the corresponding random value this. N, calculate and generate the final block Hash.
The Step6 specifically comprises the following steps:
step6.1, the data query function based on intelligent contract is realized by data query contract QueryData (); the data query contract QueryData () uses the data Hash to query the corresponding data body content in the block; the node Hash is used for inquiring the owned authority, and the corresponding data inquiry can be completed only if the corresponding data Hash exists in the child node of the node and the operating authority 'R' value of the node is 1;
step6.2, the authentication function based on the smart contract is realized by the authentication contract JudgeVerify (); the identity verification contract JudgeVerify () uses the identity Hash to be checked to query the corresponding public key data in the block, and returns a final verification result True or False by calling this PK. Verify (this. Datahash, this. Sign);
step6.3, the policy management function based on the intelligent contract is realized by policy management contract MC (); the MC () contains ManageAdd () for authority addition; the Manageupdate () is used for rights update; manageDelete () is used for rights deletion;
step6.4, the policy matching function based on the intelligent contract is realized by a policy matching contract JC (); JC () contains JudgeFromMC () for acquiring data access rights from MC (); judgeToPC () is used to send the matching result to the PC () contract; judgeToACC () is used to send the matching result to ACC () contracts;
step6.5, the illegal penalty function based on intelligent contract is realized by penalty contract PC (); the PC () contains publishtooACC () for returning penalty measures to ACC () contracts; the traditional access control model based on the attribute does not realize a punishment mechanism, and punishment measures for illegal access are realized in the intelligent contract, so that the illegal access times in the network can be effectively reduced, the network trust degree is improved, and better security guarantee is provided for data;
step6.6, the smart contract-based access control function is implemented by access control contract ACC (); setting access time intervals for illegal access ACC (), increasing in an exponential manner, recording to a history record, applying for access only when the waiting time reaches the limit, deleting the user when the illegal access times reach the limit, and recording Hash to a blacklist; the execution operation is executed by the intelligent contract, so that a decentralization and trust-removing mechanism can be realized, all access records are automatically realized and controlled by the intelligent contract, manual control is removed, and a complete, efficient and safe data access mechanism is provided.
The beneficial effects of the invention are as follows:
(1) Aiming at the attribute-based access control method designed by the fact that a centralized authorization mechanism is not adaptive to the distributed scene of the Internet of things in the traditional attribute-based access control model, the method provides fine-granularity access control and decentric and decrustation access realization, and achieves safe and efficient controllable access and full-automatic rewarding and punishment measures.
(2) The method aims at the problem that the high resource consumption of the traditional blockchain platform is not adaptive in the low resource scene of the Internet of things, and designs a lightweight blockchain method, so that lower storage cost, communication cost and calculation cost are provided, and efficient resource access and safety management are realized.
(3) The method aims at solving the problem that the matching process of the traditional access control strategy is complicated, and is not adaptive in the low-resource scene of the Internet of things, so that a simple access control strategy generation method is designed, a more comprehensive authority matching range and a more concise authority matching mode are provided, and the efficient attribute and strategy adaptation process is realized.
Drawings
FIG. 1 is a schematic diagram of the steps of the present invention;
FIG. 2 is a block chain block diagram in an embodiment of the invention;
FIG. 3 is a block chain access control flow diagram in an embodiment of the invention.
Detailed Description
The invention will be further described with reference to the drawings and detailed description.
Example 1: as shown in fig. 1, in the lightweight blockchain design method for the internet of things based on attribute access control, by normalizing the serial numbers of terminal equipment of the internet of things, a unique equipment identifier ID is obtained, then Hash processing is performed according to acquired data to obtain data Hash, and the data Hash is stored in a couchdb database in the form of key value pairs; secondly, packaging a current timestamp, a device ID, a generated data Hash, an access control strategy corresponding to the data, a data signature of the device and block-out difficulty into an integral block, calculating a block Hash value, broadcasting the block Hash value to each node, and storing the block Hash value into a couchdb database in a key value pair mode; acquiring data based on a couchdb database after acquiring the block Hash by multiple nodes, verifying whether the equipment and the corresponding digital signature are legal or not, acquiring a final block Hash meeting the block-out difficulty by a random serialization random number mode if the equipment and the corresponding digital signature are legal based on the set block-out difficulty, verifying by other nodes by broadcasting the random number which accords with the block-out difficulty and based on the random serialization, and finishing verification to determine the final block Hash; the functions of block uplink, block inquiry, identity verification, strategy management and the like can be performed by calling contracts, and the block validity verification is completed on the blocks on the chain by inquiring whether the block Hash is consistent with the block Hash of the block Hash before and after the block Hash is inquired, so that the generation of a novel block chain is determined.
The method comprises the following specific steps:
step1, normalizing internet of things equipment, and preprocessing and storing acquired data;
the Step1 specifically comprises the following steps:
step1.1, according to the large-scale complex network of heterogeneous devices, the devices have different communication modes, so the method identifies the devices from four dimensions: device ID:device COM port: />Device MAC: />And device IP port:
step1.2, the present method uses SHA-256 to calculate the device ID:and stores it to the node tag corresponding to the registered set +.>Is a kind of medium. When->When (I)>And->The following are provided:
step1.3, a new set of nodes at this timeCan be used. By->A device may be added to the blockchain.
Step1.4, based on the device ID:generating Data by SHA 256 Calculating the corresponding Hash of Data and using<Hash:Data>The key value pair way is stored in the couchdb database.
Step2, generating an access control strategy based on the attribute by utilizing the data and equipment in the Step 1;
the Step2 specifically comprises the following steps:
step2.1, the device generates an identification Hash for the data as a data owner;
step2.1.1, set p= { PA s 1,PA s 2,…,PA s n is the total set of attributes, attributes associated with each device and user (e.g., sub A ,Ob A ,Op A ,En A ) In which they are associated with respective IDs. Thus, for a device property set
Step2.1.2, after the device has successfully registered, it can be entered by itselfTo add or select the corresponding property from the property set P and to add +/via a hash function>And corresponding attribute set->Stored to in key value pair formOr by self->From->Searching and obtaining the corresponding attribute set +.>Or delete it.
Step2.2, setting an access control policy as a quadruple < policy ID, subject, object, operation >;
step2.3, describing a subject and an object in a tree structure, namely, parent node and child node information of the subject, parent node and child node information of the object, wherein a root node is an administrator, no parent node exists, and the child node comprises a user and terminal equipment;
step2.4, operations include generating C, reading R, updating U and deleting D, described as action= (C R U D), describing specific behaviors in terms of "0" and "1" and finally storing in hexadecimal;
step2.5, incrementally generating a strategy ID in a storage strategy and storing the strategy ID in a character string and numerical form;
step3, combining the data with the equipment identification information, a time stamp and the like to generate a basic block and a corresponding hash value;
the Step3 specifically comprises the following steps:
step3.1, setting a function Date (). Format ("yyyy-MM-dd HH: MM: ss") to be a current timestamp generated for the block;
step3.2, setting a device ID and a data Hash, and generating a digital signature which is based on a device private key for the data Hash;
step3.2.1, calling ec in the elipic library, and generating a private key pk=ec.genkeypair () by using a secp256k1 curve ec;
step3.2.2, signing the data Hash based on the private key is.sign=this.pk.sign (this.datahash);
step3.2.3, generating a corresponding public key this.pk=ec.keyfrompublic (this.pk.getpublic) based on ec and the private key;
step3.2.4, based on the public key, completes the verification of the data and the corresponding signature, this is.pk.verify (this is.datahash, this is.sign), returns True or False, and indicates the verification result.
Step3.3, setting an access control strategy ID corresponding to the data Hash;
step3.4, set the block-out difficulty nBits as an integer within the range of [0,255] for final block hash calculation and verification
Step3.5, integrating the timestamp, the device ID, the data Hash, the strategy ID, the signature of the device on the data and the block-out difficulty nBits together, and packaging the integrated data into a data block, as shown in fig. 2;
step4, the multi-node acquires the block hash value through broadcasting to verify the validity of the data, and judges whether the data is legal or not;
the Step4 specifically comprises the following steps:
step4.1, after broadcasting and obtaining the hash value of the block chain, the multi-node inquires and determines specific data;
step4.2, the node inquires whether the equipment exists or not through the equipment ID, and applies for returning to the equipment public key D.PK;
step4.3, the node performs identity verification based on the data Hash and signature data in the block;
step4.3.1, by calling d.pk.verify (this.datahash, this.sign), when the result is True, it indicates that the device is legal, and the block data is not tampered, i.e. the block is legal, the node sends valid information to broadcast to other nodes;
step4.3.2, when the result is False, indicating that the block data is tampered or the equipment ID is tampered, wherein the block is invalid, and the node sends invalid information to be broadcasted to other nodes;
step4.4, the node completes the validity verification of the block through mutual broadcasting and response.
Step5, the node calculates the hash of the final block by itself to meet the requirement of difficulty, broadcasts the random number, and calls the contract to complete the block uplink after multi-node verification; considering that the conventional POW consensus algorithm combines the Hash value of the previous block, the transaction data of the block, the timestamp and the random number n in the block together, calculates the corresponding Hash value by the SHA256 algorithm, and obtains the Hash value with the final previous nBits bit of 0 by the self-addition of the random number n. Since the Hash value obtained by each calculation is extremely different, it takes too much time to calculate a Hash value conforming to the previous nBits bit of 0. Therefore, considering the random serialization operation on the random number n, judging each time the Hash value is calculated, if the first bit of the obtained Hash value is 0, the probability that the previous nBits bit is 0 after the random value n is added is less, and therefore n is set as the random number; and if bit 1 is not 0, then the random number n is self-added on an existing basis. In the corresponding experiments, the construction time of each 100 blocks of POW is reduced by 18.37% compared with the traditional POW on average.
The Step5 specifically comprises the following steps:
step5.1, obtaining a current block Hash by a multi-node based on broadcasting, inquiring and determining the current block out difficulty nBits;
step5.2, initializing a random value n by each node, and calculating a final block Hash by modifying the random value n to ensure that the previous nBits bits are all 0;
step5.2.1, initializing a random value n to be 0 by each node, and calculating a final block hash=sha256 (a current block hash+a previous block hash+a random value n);
step5.2.2, verifying whether the final block Hash preamble bits are 0;
step5.2.3, if both are 0, the node broadcasts the random value this time, this is.n, and the final block Hash value; if not, the following conditions are satisfied:
step5.2.4, if the 1 st bit is 0, making the random value this.n randomly take value in the range of [1,2≡32-1 ]; if bit 1 is not 0:
step5.2.5, the random value is.n is added on the current value;
step5.2.6 until any node obtains a random value this. N satisfying the previous nBits bit;
step5.3, a certain node calculates a random value this.n which satisfies that the previous nBits bits are 0, and the value n and the obtained final block Hash are broadcasted;
step5.4, all other nodes verify whether the is.n meets the requirement;
step5.4.1, other nodes acquire this information and the final Hash of the broadcast, whether the block hash=sha256 (block hash+previous block hash+this information) is consistent with the final Hash of the broadcast or not is calculated, and when the result is consistent, the random value is valid, and the final block Hash of the current block is the final Hash of the broadcast;
step5.4.2, when the results are inconsistent, other nodes broadcast verification fails, and the random value is.n is continuously calculated;
step5.5, meeting the requirements, packaging the block Hash, the previous block Hash and the corresponding random value this. N by all nodes, calculating and generating a final block Hash;
step6, the node can finish the functions of querying data in the block, verifying identity, managing strategies and the like based on the intelligent contract; in the comparison experiment, the time consumption of only inquiring contracts under different concurrent calls increases linearly with the increase of the request times, the time consumption is irrelevant to the consensus difficulty, the time consumption of inquiring under 500 concurrent calls is about 1.29s, and the time consumption of other contracts is negligible.
The Step6 specifically comprises the following steps:
step6.1, the data query function based on intelligent contract is realized by data query contract QueryData ();
step6.1.1, the node realizes the data query function based on the data query contract QueryData ();
step6.1.2, the node realizes a data query function through the incoming data Hash to be queried and the node self Hash;
step6.1.3, data query contract query data () uses the data Hash to query the corresponding data body content in the block; the node Hash is used for inquiring the owned authority, and the corresponding data inquiry can be completed only if the corresponding data Hash exists in the child node of the node and the operating authority 'R' value of the node is 1;
step6.2, the authentication function based on the smart contract is realized by the authentication contract JudgeVerify ();
step6.2.1, the node realizes the authentication function based on the authentication contract JudgeVerify ();
step6.2.2, the node realizes an identity verification function by transmitting an identity Hash to be checked, responsible data Hash and a corresponding digital signature Sign;
step6.2.3, identity verification contract JudgeVerify () uses the identity Hash to be checked to query the block for the corresponding public key data, and returns the final verification result True or False by calling this.pk.verify (this.datahash, this.sign);
step6.3, the policy management function based on the intelligent contract is realized by policy management contract MC ();
step6.3.1, the node realizes the policy management function based on policy management contract MC ();
step6.3.2, the node realizes the policy management function through the access control policy file policy and the corresponding data Hash;
the step6.3.3 and MC () contains ManageAdd () for right adding; the Manageupdate () is used for rights update; manageDelete () is used for rights deletion;
step6.3.4, and performing addition of a parameter access control policy through corresponding data Hash by ManageAdd ();
step6.3.5, acquiring a current access control policy through corresponding data Hash by the Manageupdate (), and replacing the parameter policy to complete updating of the access control policy;
step6.3.6, acquiring a current access control policy through corresponding data Hash, and deleting the current access control policy;
step6.4, the policy matching function based on the intelligent contract is realized by a policy matching contract JC ();
step6.4.1, the node realizes the policy matching function based on policy matching contract JC ();
step6.4.2, the node realizes a policy matching function by transmitting own Hash and corresponding data Hash;
step6.4.3, JC () contains judgefrom MC () for acquiring data access rights from MC (); judgeToPC () is used to send the matching result to the PC () contract; judgeToACC () is used to send the matching result to ACC () contracts;
step6.4.4, judgeFromMC () obtains the corresponding access policy file policy by sending data Hash;
step6.4.5, judgeToPC () inquires the authority of the user through the Hash of the user and performs bit AND operation with the policy, and only returns a successful matching result to the PC () contract when the corresponding operation result is 1, otherwise returns a failed matching result to the PC () contract;
step6.4.6 and JudgeToACC () inquires the authority of the user through the Hash of the user and performs bit AND operation with the policy, and only when the corresponding operation result is 1, a matching success result is returned to an ACC () contract, otherwise, a matching failure result is returned to the ACC () contract;
step6.5, the illegal penalty function based on intelligent contract is realized by penalty contract PC (); when JC () determines that the current access result is False, PC () acquires illegal recordingAnd taking appropriate punishment measures for the access subject according to the illegal access times (such as setting access time limit, access times and the like).
Step6.5.1, the node realizes the illegal access penalty function based on penalty contract PC ();
step6.5.2, PC () contains publishtooacc () for returning penalty measures to the ACC () contract;
step6.5.3, publishtooacc () determines a reward and punishment operation by acquiring a matching result and a history record and sends it to an ACC () contract;
step6.6, the smart contract-based access control function is implemented by access control contract ACC (), as shown in fig. 3;
step6.6.1, the node realizes the access control function based on the access control contract ACC ();
step6.6.2 and ACC () are finally executed by acquiring policy matching results of JC (), and rewarding and punishment operations of PC (); if the access is legal, the method comprises the following steps:
step6.6.3, calling data query contract QueryData () by ACC () to complete the acquisition of data and returning to the node; if the access is illegal:
step6.6.4, setting access time intervals for illegal access ACC (), increasing in an exponential manner, recording to a history record, applying for access only when the waiting time reaches, deleting the user when the illegal access times reach the limit, and recording Hash to a blacklist;
step7, finally carrying out chain concatenation on the blocks after block validity verification by hashing before and after the blocks so as to finish the generation of block chains.
The Step7 specifically comprises the following steps:
step7.1, completing creation of an created block by setting ancestor chain (), wherein the contents of the block are all empty and only contain information for declaring the block as the created block, and other blocks are all linked by the block;
step7.2, after finishing the generation of the final hash value, the block agreed to be generated by the node finishes the block uplink process by calling addBlockToChain () and transmitting the addBlockToChain () into the self hash;
step7.3, the node can obtain all block contents from the ancestor block to the current block through GetChain ();
step7.4, the node can perform one-to-one calculation verification on front and back hashes and self hashes of all blocks through a contrast hash ();
step7.4.1, performing block verification by recalculating the current block hash value and the on-chain block hash value, and if the current block hash value and the on-chain block hash value are consistent, not falsifying the block data;
step7.4.2, determining that the data on the chain is not tampered by recursively calculating any block hash value and the block hash value on the chain;
step7.4.3, verifying whether the chain is consistent by calculating whether the last block hash value is consistent with the previous block hash value in the current block;
step7.4.4, verifying whether the chain is broken or not by recursively calculating whether a block hash value on any block is consistent with a previous block hash value in the block;
step7.4.5, the chain can be determined to be usable only if the data is not tampered with and the chain is not broken.
The method comprises the following steps: experimental comparison results
TABLE 1 comparison of the time spent in block chain out of the design of the method with BitTen, etherfang, super ledger
TABLE 2 comparison of blockchain to super ledger design on CPU and throughput
As shown in Table 2, the throughput of the method can be three hundred times of that of the fabric under the same configuration compared with the performance of the fabric private chain, the time delay only occupies 1.3% of the time consumption of the fabric, and the CPU resource occupies about 23% of the fabric. Therefore, the lightweight blockchain proposed by the method is more dominant on limited internet of things equipment in terms of energy consumption.
In summary, the invention provides an Internet of things lightweight blockchain design method based on attribute access control, which analyzes and designs the lightweight blockchain design method in the limited scene of the Internet of things. Aiming at the attribute-based access control method designed by the fact that a centralized authorization mechanism is not adaptive to the distributed scene of the Internet of things in the traditional attribute-based access control model, the method provides access control with fine granularity and access realization of decentric and distrusted, and realizes safe and efficient controllable access and full-automatic rewarding and punishment measures; secondly, the lightweight blockchain method is designed aiming at the fact that the high resource consumption of the traditional blockchain platform is not adapted in the low resource scene of the Internet of things under the requirement, lower storage cost, communication cost and calculation cost are provided, and efficient resource access and safety management are achieved; finally, the method designs a simple access control strategy generation method aiming at the problem that the matching process of the traditional access control strategy is complicated and is not adapted in the low-resource scene of the Internet of things, provides a more comprehensive authority matching range and a more concise authority matching mode, and realizes an efficient attribute and strategy adaptation process.
While the present invention has been described in detail with reference to the drawings, the present invention is not limited to the above embodiments, and various changes and modifications can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention, and the present invention shall also be construed as being within the scope of the present invention.
Claims (5)
1. An internet of things-oriented lightweight blockchain design method based on attribute access control is characterized by comprising the following steps of:
firstly, obtaining a device unique identifier ID by normalizing the serial number of terminal devices of the Internet of things, then carrying out Hash processing according to acquired data to obtain data Hash, and storing the data Hash into a couchdb database in a key value pair mode; secondly, packaging a current timestamp, a device ID, a generated data Hash, an access control strategy corresponding to the data, a data signature of the device and block-out difficulty into an integral block, calculating a block Hash value, broadcasting the block Hash value to each node, and storing the block Hash value into a couchdb database in a key value pair mode; acquiring data based on a couchdb database after acquiring the block Hash by multiple nodes, verifying whether the equipment and the corresponding digital signature are legal or not, acquiring a final block Hash meeting the block-out difficulty by a random serialization random number mode if the equipment and the corresponding digital signature are legal based on the set block-out difficulty, and verifying by other nodes by broadcasting the random number which meets the block-out difficulty and is based on the random serialization, so as to finish verification and determine the final block Hash; performing block uplink, block inquiry, identity verification and strategy management functions by calling contracts, and completing block validity verification on blocks on the chain by inquiring whether the block Hash before and after the block Hash is consistent with the block Hash of the block chain, so as to determine the generation of a novel block chain;
the method comprises the following specific steps:
step1, normalizing internet of things equipment, and preprocessing and storing acquired data;
step2, generating an access control strategy based on the attribute by utilizing the data and equipment in the Step 1;
step3, combining the data with the equipment identification information and the time stamp to generate a basic block and a corresponding hash value;
step4, the multi-node acquires the block hash value through broadcasting to verify the validity of the data, and judges whether the data is legal or not;
step5, the node calculates the hash of the final block by itself to meet the requirement of difficulty, broadcasts the random number, and calls the contract to complete the block uplink after multi-node verification;
step6, the node completes the functions of inquiring data in the block, verifying identity and managing strategies based on the intelligent contract;
step7, finally carrying out chain concatenation on the blocks after block validity verification by hashing before and after the blocks so as to finish the generation of block chains.
2. The lightweight blockchain design method for the internet of things based on attribute access control of claim 1, wherein the Step2 specifically comprises the following steps:
step2.1, the device generates an identification Hash for the data as a data owner;
step2.2, setting an access control policy as a quadruple < policy ID, subject, object, operation >;
step2.3, describing a subject and an object in a tree structure, namely, parent node and child node information of the subject, parent node and child node information of the object, wherein a root node is an administrator, no parent node exists, and the child node comprises a user and terminal equipment;
step2.4, operations include generating C, reading R, updating U and deleting D, described as action= (C R U D), describing specific behaviors in terms of "0" and "1" and finally storing in hexadecimal;
step2.5, incrementally generating a policy ID in the storage policy and storing it in the form of a string and a number.
3. The lightweight blockchain design method for the internet of things based on attribute access control of claim 1, wherein the Step3 specifically comprises the following steps:
step3.1, setting a function Date (). Format ("yyyy-MM-dd HH: MM: ss") to be a current timestamp generated for the block;
step3.2, setting a device ID and a data Hash, and generating a digital signature which is based on a device private key for the data Hash;
step3.3, setting an access control strategy ID corresponding to the data Hash;
step3.4, setting the block difficulty nBits as an integer within the range of [0,255] for calculating and verifying the final block hash;
step3.5, integrating the timestamp, the device ID, the data Hash, the strategy ID, the signature of the device on the data and the block-out difficulty nBits together, and packaging the integrated data into a data block.
4. The lightweight blockchain design method for the internet of things based on attribute access control of claim 1, wherein the Step5 specifically comprises the following steps:
step5.1, obtaining a current block Hash by a multi-node based on broadcasting, inquiring and determining the current block out difficulty nBits;
step5.2, initializing a random value n by each node, and calculating a final block Hash by modifying the random value n to ensure that the previous nBits bits are all 0;
step5.3, a certain node calculates a random value this.n which satisfies that the previous nBits bits are 0, and the value n and the obtained final block Hash are broadcasted;
step5.4, all other nodes verify whether the is.n meets the requirement;
step5.5, meeting the requirement, all nodes package the block Hash, the previous block Hash and the corresponding random value this. N, calculate and generate the final block Hash.
5. The lightweight blockchain design method for the internet of things based on attribute access control of claim 1, wherein the Step6 specifically comprises the following steps:
step6.1, the data query function based on intelligent contract is realized by data query contract QueryData (); the data query contract QueryData () uses the data Hash to query the corresponding data body content in the block; the node Hash is used for inquiring the owned authority, and the corresponding data inquiry can be completed only if the corresponding data Hash exists in the child node of the node and the operating authority 'R' value of the node is 1;
step6.2, the authentication function based on the smart contract is realized by the authentication contract JudgeVerify (); the identity verification contract JudgeVerify () uses the identity Hash to be checked to query the corresponding public key data in the block, and returns a final verification result True or False by calling this PK. Verify (this. Datahash, this. Sign);
step6.3, the policy management function based on the intelligent contract is realized by policy management contract MC (); the MC () contains ManageAdd () for authority addition; the Manageupdate () is used for rights update; manageDelete () is used for rights deletion;
step6.4, the policy matching function based on the intelligent contract is realized by a policy matching contract JC (); JC () contains JudgeFromMC () for acquiring data access rights from MC (); judgeToPC () is used to send the matching result to the PC () contract; judgeToACC () is used to send the matching result to ACC () contracts;
step6.5, the illegal penalty function based on intelligent contract is realized by penalty contract PC (); the PC () contains publishtooACC () for returning penalty measures to ACC () contracts;
step6.6, the smart contract-based access control function is implemented by access control contract ACC (); setting access time intervals for illegal access ACC (), increasing in an exponential manner, recording to a history record, applying for access only when the waiting time reaches, deleting the user when the illegal access times reach the limit, and recording Hash to a blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210983502.5A CN115529136B (en) | 2022-08-16 | 2022-08-16 | Internet of things-oriented lightweight blockchain design method based on attribute access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210983502.5A CN115529136B (en) | 2022-08-16 | 2022-08-16 | Internet of things-oriented lightweight blockchain design method based on attribute access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115529136A CN115529136A (en) | 2022-12-27 |
| CN115529136B true CN115529136B (en) | 2024-02-23 |
Family
ID=84695672
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210983502.5A Active CN115529136B (en) | 2022-08-16 | 2022-08-16 | Internet of things-oriented lightweight blockchain design method based on attribute access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115529136B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177080A (en) * | 2019-12-31 | 2020-05-19 | 西安理工大学 | Knowledge graph storage and verification method based on block chain and IPFS |
| CN112261155A (en) * | 2020-12-21 | 2021-01-22 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Internet of things access control method with dynamic consensus based on block chains of alliances |
| CN113162907A (en) * | 2021-03-02 | 2021-07-23 | 西安电子科技大学 | Attribute-based access control method and system based on block chain |
| WO2021229404A1 (en) * | 2020-05-13 | 2021-11-18 | International Business Machines Corporation | Cross-network identity provisioning |
-
2022
- 2022-08-16 CN CN202210983502.5A patent/CN115529136B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111177080A (en) * | 2019-12-31 | 2020-05-19 | 西安理工大学 | Knowledge graph storage and verification method based on block chain and IPFS |
| WO2021229404A1 (en) * | 2020-05-13 | 2021-11-18 | International Business Machines Corporation | Cross-network identity provisioning |
| CN112261155A (en) * | 2020-12-21 | 2021-01-22 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Internet of things access control method with dynamic consensus based on block chains of alliances |
| CN113162907A (en) * | 2021-03-02 | 2021-07-23 | 西安电子科技大学 | Attribute-based access control method and system based on block chain |
Non-Patent Citations (1)
| Title |
|---|
| 基于区块链与边缘计算的物联网访问控制模型;张杰;计算机应用;第42卷(第7期);2104-2111 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115529136A (en) | 2022-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113141782B (en) | Storing and validating derivative work data on blockchain having original work data | |
| CA3053313C (en) | Method for superseding log-in of user through pki-based authentication by using smart contact and blockchain database, and server employing same | |
| van den Hooff et al. | Versum: Verifiable computations over large public logs | |
| KR20200013680A (en) | Script-based Blockchain Interaction | |
| CN110727712A (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| CN109347868B (en) | Information verification method, device and storage medium | |
| US20190141048A1 (en) | Blockchain identification system | |
| CN101032115A (en) | Sharing a secret by using random function | |
| CN113242230B (en) | Multi-level authentication and access control system and method based on intelligent contracts | |
| CN112703499A (en) | Distributed platform for computing and trust verification | |
| CN110851127B (en) | Universal evidence-storing method based on blockchain | |
| CN111669386B (en) | Access control method and device based on token and supporting object attribute | |
| EP3963824A1 (en) | Methods and devices for recording work history and proving reputation in a blockchain network | |
| US20220092592A1 (en) | Methods and Devices for Registering and Authenticating Miner Identity in a Blockchain Network | |
| CN110213290A (en) | Data capture method, API gateway and storage medium | |
| CN113919846B (en) | Block link point dynamic grouping method and device, computer equipment and storage medium | |
| Ramkumar | A blockchain based framework for information system integrity | |
| Regnath et al. | LeapChain: Efficient blockchain verification for embedded IoT | |
| CN115529136B (en) | Internet of things-oriented lightweight blockchain design method based on attribute access control | |
| CN110191129A (en) | A kind of content in information centre's network names Verification System | |
| CN112039837B (en) | Electronic evidence preservation method based on block chain and secret sharing | |
| Manulis et al. | Security model and framework for information aggregation in sensor networks | |
| CN116938521A (en) | Distributed digital identity trusted authentication method based on hierarchical storage | |
| Li et al. | An Anonymous Editable Blockchain Scheme Based on Certificateless Aggregate Signature | |
| CN117057806B (en) | Data processing method and device based on block chain and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |