CN116204923A - Data management and data query methods and devices - Google Patents
Data management and data query methods and devices Download PDFInfo
- Publication number
- CN116204923A CN116204923A CN202310217258.6A CN202310217258A CN116204923A CN 116204923 A CN116204923 A CN 116204923A CN 202310217258 A CN202310217258 A CN 202310217258A CN 116204923 A CN116204923 A CN 116204923A
- Authority
- CN
- China
- Prior art keywords
- data
- structure tree
- access structure
- attribute
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2471—Distributed queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Computational Linguistics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a data management and data query method and device, which can be used in the financial field or other technical fields. The method comprises the following steps: for a piece of data to be subjected to the uplink certificate, constructing an access structure tree according to the user attribute with access right to the piece of data; performing attribute-based encryption on the data to be subjected to the uplink certification according to the access structure tree to obtain encrypted data of the data; encrypting the access structure tree with the hidden part of information by using the temporary secret key to obtain an encrypted access structure tree; sharing the temporary secret key to blockchain nodes through a secret sharing technology, wherein each blockchain node is provided with one fragment of the temporary secret key; and sending the encrypted data and the encrypted access structure tree to the blockchain node. The data management and data query methods and the data management and data query devices provided by the embodiment of the application can enable the data owner to master the right of use of the data, and reduce the abuse of private data of users.
Description
Technical Field
The application relates to the technical field of blockchains, in particular to a data management and data query method and device.
Background
The traditional block chain network data encryption is completed by using a system specific key encryption calculation, so that the same data cannot be subjected to hierarchical management and control aiming at different users, the data is read and used without passing through the user authorization process of a data owner, the use right of the data is mastered in a block chain node operator instead of a user hand, and the abuse of user privacy data is easily caused.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the application provides a data management method, a data query method and a data query device, which can at least partially solve the problems in the prior art.
In one aspect, the present application proposes a data management method, including:
for a piece of data to be subjected to the uplink certificate, constructing an access structure tree according to the user attribute with access right to the piece of data;
performing attribute-based encryption on the data to be subjected to the uplink certification according to the access structure tree to obtain encrypted data corresponding to the data;
encrypting the access structure tree with the hidden part of information by using a temporary secret key to obtain an encrypted access structure tree;
sharing the temporary secret key to blockchain nodes through a secret sharing technology, wherein each blockchain node is provided with one fragment of the temporary secret key;
And sending the encrypted data and the encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the encrypted access structure tree and the encrypted data.
In some embodiments, the method further comprises:
and distributing the pre-constructed user attributes to each data using end, wherein each data using end receives at least one user attribute.
In some embodiments, for a piece of data to be logged, constructing the access structure tree according to the user attribute having access rights to the piece of data includes:
for a piece of data to be subjected to the uplink certification, constructing leaf nodes of an access structure tree according to user attributes with access rights to the piece of data, wherein each leaf node is constructed according to one user attribute, and the number of the leaf nodes is equal to the number of types of the user attributes with the access rights to the piece of data;
constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree.
In some embodiments, each user attribute includes an attribute number and an attribute value; constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree comprises:
Constructing polynomials to be solved corresponding to ancestor nodes of each level of the leaf node according to a preset access control strategy, wherein the number of unknown parameters in the polynomials to be solved corresponding to each ancestor node is equal to the number of child nodes of the ancestor node;
according to the attribute number and the attribute value corresponding to the child node of each ancestor node, solving the unknown parameters in the polynomial to be solved of the ancestor node by using an interpolation method to obtain the polynomial corresponding to the ancestor node;
according to the attribute number allocated to each ancestor node and the polynomial corresponding to the ancestor node, solving the attribute value of the ancestor node;
and constructing each level of ancestor nodes of the leaf node according to the attribute number and the attribute value of each ancestor node, and generating an access structure tree.
In some embodiments, encrypting the access structure tree with the hidden part of the information by using the temporary key, to obtain an encrypted access structure tree includes:
deleting the attribute value of each node in the access structure tree to obtain an access structure tree only containing attribute numbers;
and encrypting the access structure tree only containing the attribute numbers by using the temporary key to obtain an encrypted access structure tree.
In some embodiments, the method further comprises:
and transmitting the key number of the temporary key to each blockchain node, wherein each blockchain node establishes and stores the mapping relation among the temporary key fragments owned by the node, the key number, the encrypted access structure tree and the encrypted data.
In some embodiments, the method further comprises:
reconstructing user attributes with access rights to the data to be uploaded;
updating the access structure tree according to the reconstructed user attribute with access right to the data, so as to obtain a new access structure tree;
performing attribute-based encryption on the data according to the new access structure tree to obtain new encrypted data corresponding to the data;
encrypting the new access structure tree with the hidden part of information by using a temporary key to obtain a new encrypted access structure tree;
and sending the new encrypted data and the new encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the new encrypted access structure tree and the new encrypted data.
In some embodiments, the method further comprises:
and distributing the reconstructed user attributes to each data use terminal with access rights, wherein each data use terminal receives at least one user attribute.
In another aspect, the present application proposes a data query method, including:
sending a data query request to a block chain node, wherein the block chain node initiates consensus on encrypted data requested to be queried, and in the consensus process, secret sharing is carried out between a temporary key fragment corresponding to the encrypted data stored by the node and other block chain nodes, and the encrypted access structure tree corresponding to the encrypted data is decrypted to obtain an access structure tree with part of hidden information;
acquiring the encrypted data which is sent by the block chain node and is subjected to consensus, and the access structure tree hiding part of information;
if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving to obtain a complete access structure tree according to the locally owned user attribute;
and performing attribute-based decryption on the encrypted data according to the complete access structure tree to obtain the original data corresponding to the encrypted data.
In some embodiments, the access structure tree is constructed from user attributes having access rights to the original data, the user attributes including an attribute number and an attribute value;
and deleting the attribute values of all the nodes in the access structure tree with the hidden part of information.
In some embodiments, if the locally owned user attribute hits at least one access control policy in the access structure tree with the hidden part of the information, solving to obtain the complete access structure tree according to the locally owned user attribute includes:
if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving the attribute value of each node in the access structure tree by using a polynomial interpolation method according to the locally owned user attribute to obtain a complete access structure tree.
In some embodiments, the method further comprises:
the user attributes distributed to the local are obtained and saved.
In yet another aspect, the present application proposes a data management device comprising:
the first construction module is used for constructing an access structure tree for data to be subjected to the uplink certification according to the user attribute with access right to the data;
The first encryption module is used for performing attribute-based encryption on the data to be subjected to the uplink certificate according to the access structure tree to obtain encrypted data corresponding to the data;
the second encryption module is used for encrypting the access structure tree with the hidden part of information by using the temporary key to obtain an encrypted access structure tree;
the sharing module is used for sharing the temporary secret key to the blockchain nodes through a secret sharing technology, and each blockchain node is provided with one fragment of the temporary secret key;
and the sending module is used for sending the encrypted data and the encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the encrypted access structure tree and the encrypted data.
In yet another aspect, the present application proposes a data query device, including:
the sending module is used for sending a data query request to the block chain link node, the block chain node initiates consensus on the encrypted data requested to be queried, secret sharing is carried out between the temporary secret key fragments corresponding to the encrypted data stored by the node and other block chain nodes in the consensus process, and the encrypted access structure tree corresponding to the encrypted data is decrypted to obtain the access structure tree with part of hidden information;
The acquisition module is used for acquiring the encrypted data which is sent by the blockchain node and is subjected to consensus and the access structure tree with part of information hidden;
the solving module is used for solving and obtaining a complete access structure tree according to the locally owned user attribute if the locally owned user attribute hits at least one access control strategy in the access structure tree with the hidden part of information;
and the decryption module is used for performing attribute-based decryption on the encrypted data according to the complete access structure tree to obtain the original data corresponding to the encrypted data.
The embodiment of the application also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the steps of the data management method or the data query method in any embodiment when executing the program.
The present application further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the data management method or the data query method described in any of the above embodiments.
According to the data management and data query method and device, the data owner can associate specific data with the user attribute, only the user meeting the specified attribute condition can decrypt the specific data, and the blockchain user not meeting the specified combined attribute condition cannot decrypt the specific data, so that the data owner can master the use right of the data, and the abuse condition of the private data of the user is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. In the drawings:
fig. 1 is a schematic flow chart of security data hierarchical management and authorization according to an embodiment of the present application.
FIG. 2 is a functional block diagram of a blockchain system for hierarchical security data management and authorization in accordance with an embodiment of the present application.
Fig. 3 is a mapping relationship diagram between a data user and a user attribute according to an embodiment of the present application.
Fig. 4 is a schematic structural diagram of an access structure tree according to an embodiment of the present application.
Fig. 5 is a schematic data structure diagram of a data certification transaction request according to an embodiment of the present application.
Fig. 6 is a schematic diagram of a data structure of a data certificate according to an embodiment of the present application.
Fig. 7 is a flow chart of a data management method according to an embodiment of the present application.
Fig. 8 is a partial flow chart of a data management method according to an embodiment of the present application.
Fig. 9 is a partial flow chart of a data management method according to an embodiment of the present application.
Fig. 10 is a partial flow chart of a data management method according to an embodiment of the present application.
Fig. 11 is a partial flow chart of a data management method according to an embodiment of the present application.
Fig. 12 is a schematic structural diagram of an access structure tree according to an embodiment of the present application.
Fig. 13 is a flowchart of a data query method according to an embodiment of the present application.
FIG. 14 is a flow chart of a method for data authorization processing of a data owner of a secure data hierarchy management and authorization blockchain system in accordance with an embodiment of the present application.
FIG. 15 is a flow chart of a method for processing data usage of a secure data hierarchy management and authorization blockchain system in accordance with an embodiment of the present application
FIG. 16 is a flow chart of a method for processing secure data hierarchy control and authorized data owner revocation data consumer control of a blockchain system in accordance with an embodiment of the present application.
FIG. 17 is a flow chart of a method for intelligent checking and automatic trimming of cold data of a secure data hierarchical management and authorization blockchain system according to an embodiment of the present application.
Fig. 18 is a schematic structural diagram of a data management device according to an embodiment of the present application.
Fig. 19 is a schematic structural diagram of a data query device according to an embodiment of the present application.
Fig. 20 is a schematic physical structure of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The illustrative embodiments of the present application and their description are presented herein to illustrate the application and not to limit the application. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be arbitrarily ordered with each other.
The terms "first," "second," … …, and the like, as used herein, do not denote a particular order or sequence, nor are they intended to limit the application solely to distinguish one element or operation from another in the same technical terms.
As used herein, the terms "comprising," "including," "having," "containing," and the like are intended to be inclusive and mean an inclusion, but not limited to.
As used herein, "and/or" includes any or all ordering of such things.
The execution main body of the data management and data query method provided by the embodiment of the application comprises, but is not limited to, a computer.
For a better understanding of the present application, a detailed description of the research background of the present application is provided below.
With the development of the blockchain technology, different grades can be associated with blockchain users of different data users, the blockchain users of different grades have different user attributes, specific data and the combination relation of the different user attributes are associated, only the blockchain users meeting the specified combination attribute condition can decrypt the specific data, and the blockchain users not meeting the specified combination attribute condition cannot decrypt the specific data, so that the data hierarchical control is realized. To hide decryption rules (i.e., the combined relationships of different user attributes required for decryption, also known as access structure trees) on the blockchain, temporary key encryption and decryption and secret sharing techniques are introduced between the blockchain user of the data owner and the plurality of blockchain nodes. Accessing the structure tree makes the data unlinkable with the data consumer and supports O (log n) computational complexity to enable rights revocation for the data consumer. The block data structure design can quickly search the history of the data authorization change, realize the intelligent detection and automatic cutting of the expired data, and further ensure the data safety by more efficiently utilizing the storage resources of the block chain on one hand and failing to inquire the expired data on the other hand.
Specifically, the present application proposes a blockchain system for hierarchical control and authorization of secure data, which relates to the technical field of blockchains, as shown in fig. 1, wherein the data authorization process of the data owner includes: the user attribute (including attribute number, attribute value) one-to-many distribution 101, construction and computation access structure tree 102, execution data encryption 103, secret sharing temporary key 104, execution access structure tree encryption 105, blockchain certification data and access structure tree 106 (including only attribute number), and the data user hierarchical management flow includes: the access structure tree 107 corresponding to the query data, the secret sharing decryption calculation to obtain a real access structure tree 108, the access structure tree and user attribute set comparison 109, the polynomial interpolation to obtain a data decryption key 110 and decryption data 111. And the data authorization flow of the data owner and the data user are combined by the data hierarchical control flow to finish the data hierarchical control and authorization in the block chain system. The data hierarchical management and control and authorization method is based on the blockchain technology to serve as an upgrading service of the traditional blockchain system, and a user can grasp the use condition of own data more conveniently and transparently under the background of the supervision requirements of data protection and abuse prevention.
FIG. 2 is a functional block diagram of a hierarchical secure data management and authorization blockchain system as shown in FIG. 2, comprising two functional entities: a blockchain user client, and a blockchain node. The blockchain user client contains several functional modules: the system comprises a user attribute distribution and local management module 201, an access structure tree construction and calculation module 202, a data encryption and decryption module 203, a secret sharing temporary key module 204, an access structure tree encryption module 205 and a blockchain certification and inquiry request module 206. The block link points comprise several functional modules: the secret sharing temporary key fragment generation and management module 207, the data and temporary key number comparison relation management module 208, the data and access structure tree comparison relation management module 209, the access structure tree decryption module 210 and the blockchain certificate processing module 211; wherein, the liquid crystal display device comprises a liquid crystal display device,
the user attribute distribution and local management module 201 is a tool for hierarchical management of other blockchain user clients by the blockchain user client, which may be a data owner, and the blockchain user client that receives and manages user attributes is an authorized data consumer. As shown in fig. 3, each data user has one or more different attributes (including attribute numbers and attribute values), and the user manages own attribute sets respectively and does not leak to a third party.
The access structure tree construction and computation module 202 constructs the access structure tree as shown in fig. 4 while the blockchain user client generates data requiring blockchain certification. Each data owner, after generating a new piece of data, will calculate the access structure tree corresponding to that piece of data. The calculation steps are as follows:
step one: constructing leaf nodes of the access structure tree according to each user attribute with access authority;
step two: for all non-leaf nodes except the root node, randomly generating attribute numbers of all non-leaf nodes;
step three: constructing polynomials at non-leaf nodes according to the access relation, wherein the attribute value of the ancestor node is the value of the polynomial at the argument 0, and the attribute value of each child node is the value of the polynomial at the argument child node attribute number.
Step four: and (3) pushing out the attribute value of each node of the access structure tree from bottom to top to finally obtain the attribute value of the root node.
Taking two of three attribute conditions (attribute 1, attribute 2, attribute 3, attribute 4) as an example for accessing a certain data requirement, the structure of the resulting access structure tree is shown in fig. 4.
The data encryption and decryption module 203 is configured to encrypt the original data by the blockchain user client, request the blockchain node to store the certificate, read the data from the blockchain link, and decrypt the data to obtain the original data.
The data owner executes attribute-based encryption according to the access structure tree, selects a group G with bilinear pairing characteristics, generates a primitive G, and the public key PK has G, h=g b 、f=g 1/b 、e(g,g) a Equal parameters, private key SK has d=g (a+r)/b 、D y1 =g r H(i) ri 、D y2 =g ri Equal parameters, where a, b, r, ri is a random number, y is any leaf node of the access structure tree, and i=attr (y) is the attribute number. The data to be encrypted is M, and the ciphertext is ct= (T, C 1 =Me(g,g) as ,C 2 =h s For all leaves y of T: C y1 =g qy(0) ,C y2 =H(attr(y)) qy(0) ). The data owner sends the private key SK to the data user through a secure channel, and the ciphertext CT is published to the blockchain. The data consumer performs attribute-based decryption based on the access structure tree, and the ciphertext decryption calculation is fy=Decryptonode (CT, SK, y) =e (D y1 ,C y1 )/e(D y2 ,C y2 ) Fy=e (g, g) can be obtained from bilinear mapping characteristics rqy(0) . All leaf nodes z of the node x are calculated, sx is a set of child nodes with any size, and calculation is performed
Recursive calculation from bottom to top up to root node a=f R =e(g,g) rs Decryption results in plaintext m=c 1 /(e(C 2 ,D)/A)。
The secret sharing temporary key module 204 is configured to randomly generate a temporary key by a blockchain user client, calculate a temporary key number, perform secret sharing related to the temporary key with a plurality of blockchain link points, obtain a part of the temporary key by each blockchain link point participant after the secret sharing is finished, and establish an association relationship between the key fragment and the temporary key number. The blockchain user client, typically the data owner, initiates this flow.
The access structure tree encryption module 205 is an access structure tree that the blockchain user client uses to encrypt only attribute number relationships using the temporary key described above.
The blockchain certification and query request module 206 sends the encrypted data and encryption parameters (the encryption parameters related to performing attribute-based encryption according to the access structure tree), the encrypted access structure tree, and the temporary key number to the blockchain node, and records the data and hierarchical management and control information to the blockchain node. The data structure of the data-logging transaction request is shown in fig. 5.
The secret sharing temporary key shard generation and management module 207 performs secret sharing with the blockchain user clients for a plurality of blockchain nodes, each blockchain node obtains a part of the temporary key, and establishes an association relationship between the key shard and the temporary key number.
The data and temporary key number comparison management module 208 checks the temporary key number corresponding to the data when the blockchain node receives a data query request.
The data and access structure tree comparison management module 209 is configured to check an encrypted access structure tree corresponding to a data when the blockchain node receives a data query request.
The access structure tree decryption module 210 loads the secret sharing temporary key fragments according to the temporary key numbers obtained by the data and temporary key number comparison management module 208, generates the key fragments obtained by secret sharing with the management module 207 and the encrypted access structure tree obtained by the data and access structure tree comparison management module 209, performs secret sharing decryption calculation between nodes, obtains the decrypted access structure tree, and returns the decrypted access structure tree to the blockchain user client.
The blockchain certification processing module 211 records the encrypted data and the encrypted parameters, the encrypted access structure tree, the temporary key number and other information sent by the blockchain user client onto the blockchain. In order to enable the blockchain node to quickly adapt to the access control logic change of data and the intelligent inspection and automatic cutting of cold data, as shown in fig. 6, a file type data storage technology supporting tamper resistance is introduced for the blockchain node, after encrypted data and encryption parameters are stored in the tamper resistant file type data storage, a unique randomly generated data index number in a network is generated, and the data index number, the encrypted access structure tree, the temporary key number and other information are recorded in the block and form a chain storage which is connected front and back. The block data structure includes, in addition to the preceding fields, a unique transaction number of the whole network, a user signature for preventing replay of the transaction, and a last data index number for recording an old data index number, the data index number for a new data index after the access control of the data is changed.
Fig. 7 is a flow chart of a data management method according to an embodiment of the present application, as shown in fig. 7, where the data management method according to the embodiment of the present application includes:
s101, constructing an access structure tree for data to be subjected to uplink certification according to user attributes with access rights to the data;
s102, performing attribute-based encryption on the data to be subjected to the uplink certification according to the access structure tree to obtain encrypted data corresponding to the data;
s103, encrypting the access structure tree with the hidden part of information by using a temporary secret key to obtain an encrypted access structure tree;
s104, sharing the temporary secret key to block chain nodes through a secret sharing technology, wherein each block chain node is provided with a fragment of the temporary secret key;
s105, sending the encrypted data and the encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the encrypted access structure tree and the encrypted data.
Specifically, the data owner associates specific data with the user attribute, and the user only meeting the specified attribute condition can decrypt the specific data, and the blockchain user not meeting the specified combined attribute condition can not decrypt the specific data, so that the data owner can master the use right of the data, and the abuse condition of the private data of the user is reduced.
To hide decryption rules (i.e., the combined relationships of different user attributes required for decryption, also known as access structure trees) on the blockchain, temporary key encryption and decryption and secret sharing techniques are introduced between the blockchain user of the data owner and the plurality of blockchain nodes.
In some embodiments, the method further comprises: and distributing the pre-constructed user attributes to each data using end, wherein each data using end receives at least one user attribute. Specifically, the data owner constructs the user attribute, performs one-to-many distribution with the data user, each data user has one or more different attributes, and the user manages own attribute set without revealing to the third party.
As shown in fig. 8, in some embodiments, for a piece of data to be logged, constructing an access structure tree according to a user attribute having access rights to the piece of data includes:
s1011, constructing leaf nodes of an access structure tree according to user attributes with access rights to data to be subjected to uplink certification, wherein each leaf node is constructed according to one user attribute, and the number of the leaf nodes is equal to the number of types of the user attributes with the access rights to the data;
S1012, constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree.
Specifically, the relationship between nodes of each level of the access structure tree is determined according to a preset access control policy, for example, as shown in fig. 4, taking accessing a certain data requirement to meet two of three attribute conditions (attribute 1 and attribute 2, attribute 3 and attribute 4) as an example, the preset access control policy is that a user can access the data by meeting two of three attribute conditions (attribute 1 and attribute 2, attribute 3 and attribute 4), then the leaf node constructed by attribute 1 and the leaf node constructed by attribute 2 are in a "and" relationship, the two leaf nodes share an ancestor node, the leaf node constructed by attribute 3 has a single ancestor node, and similarly, the leaf node constructed by attribute 4 has a single ancestor node; and finally, constructing a root node of the access structure tree according to ancestor nodes of each leaf node.
As shown in fig. 9, in some embodiments, each user attribute includes an attribute number and an attribute value; constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree comprises:
S10121, constructing polynomials to be solved corresponding to ancestor nodes of each level of the leaf node according to a preset access control strategy, wherein the number of unknown parameters in the polynomials to be solved corresponding to each ancestor node is equal to the number of child nodes of the ancestor node;
s10122, solving unknown parameters in the polynomial to be solved of each ancestor node by utilizing an interpolation method according to the attribute number and the attribute value corresponding to the child node of each ancestor node, and obtaining the polynomial corresponding to the ancestor node;
s10123, solving the attribute value of each ancestor node according to the attribute number allocated to the ancestor node and the polynomial corresponding to the ancestor node;
s10124, constructing ancestor nodes of each level of the leaf node according to the attribute number and the attribute value of each ancestor node, and generating an access structure tree.
For example, as shown in fig. 4, for the ancestor node common to attribute 1 and attribute 2, a polynomial f (x) =ax+b is constructed, where the polynomial has two unknown parameters a and b, and the number of the unknown parameters is equal to the number of child nodes of the ancestor node; according to the number and the attribute value of the attribute 1 and the number and the attribute value of the attribute 2, parameters a and b can be obtained by solving, so as to obtain a polynomial corresponding to the ancestor node.
As shown in fig. 10, in some embodiments, encrypting the access structure tree with the temporary key, where the access structure tree is hidden with part of the information, to obtain the encrypted access structure tree includes:
s1031, deleting the attribute value of each node in the access structure tree to obtain an access structure tree only containing attribute numbers;
s1032, encrypting the access structure tree only containing the attribute numbers by using the temporary key to obtain the encrypted access structure tree.
In some embodiments, the method further comprises: and transmitting the key number of the temporary key to each blockchain node, wherein each blockchain node establishes and stores the mapping relation among the temporary key fragments owned by the node, the key number, the encrypted access structure tree and the encrypted data.
As shown in fig. 11, in some embodiments, the method further comprises:
s106, reconstructing user attributes with access rights to the data to be uploaded;
s107, updating the access structure tree according to the reconstructed user attribute with access right to the data, so as to obtain a new access structure tree;
S108, performing attribute-based encryption on the data according to the new access structure tree to obtain new encrypted data corresponding to the data;
s109, encrypting the new access structure tree with the hidden part of information by using a temporary secret key to obtain a new encrypted access structure tree;
s110, the new encrypted data and the new encrypted access structure tree are sent to the blockchain node, and the blockchain node is used for storing the new encrypted access structure tree and the new encrypted data.
Specifically, when the data owner wants to revoke the authorization control of a certain data to a certain data user, the data owner generates a new attribute for the data user who reserves the right, distributes the new attribute to the data user who reserves the right, and the user who revokes the data use cannot receive the new attribute. The data owner loads the access structure tree, calculates the attribute numbers and attribute values of the brother nodes and the ancestor nodes of each level of the revoked attribute node from bottom to top according to the new attribute, and updates the access structure tree to the root node. For example, for the access structure tree in fig. 4, after user attribute 2 is revoked, attribute numbers and attribute values of the 3 nodes with shadows as shown in fig. 12 are recalculated.
In some embodiments, the method further comprises: and distributing the reconstructed user attributes to each data use terminal with access rights, wherein each data use terminal receives at least one user attribute. Each data user end decrypts the encrypted data of the pen data according to the latest received user attribute.
Fig. 13 is a flow chart of a data query method according to an embodiment of the present application, as shown in fig. 13, where the data query method according to the embodiment of the present application includes:
s201, sending a data query request to a block chain link node, wherein the block chain node initiates consensus on encrypted data requested to be queried, and in the consensus process, secret sharing is carried out between a temporary secret key fragment corresponding to the encrypted data stored by the node and other block chain nodes, and the encrypted access structure tree corresponding to the encrypted data is decrypted to obtain an access structure tree with part of hidden information;
s202, acquiring the encrypted data which is sent by the blockchain node and is subjected to consensus, and the access structure tree with part of information hidden;
s203, if the locally owned user attribute hits at least one access control strategy in the access structure tree with the hidden part of information, solving to obtain a complete access structure tree according to the locally owned user attribute;
S204, performing attribute-based decryption on the encrypted data according to the complete access structure tree to obtain original data corresponding to the encrypted data.
Specifically, the data owner associates specific data with the user attribute, and the user only meeting the specified attribute condition can decrypt the specific data, and the blockchain user not meeting the specified combined attribute condition can not decrypt the specific data, so that the data owner can master the use right of the data, and the abuse condition of the private data of the user is reduced.
In some embodiments, the method further comprises: the user attributes distributed to the local are obtained and saved. Specifically, the data owner constructs the user attribute, performs one-to-many distribution with the data user, each data user has one or more different attributes, and the user manages own attribute set without revealing to the third party.
In some embodiments, the access structure tree is constructed from user attributes having access rights to the original data, the user attributes including an attribute number and an attribute value; and deleting the attribute values of all the nodes in the access structure tree with the hidden part of information.
In some embodiments, if the locally owned user attribute hits at least one access control policy in the access structure tree with the hidden part of the information, solving to obtain the complete access structure tree according to the locally owned user attribute includes: if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving the attribute value of each node in the access structure tree by using a polynomial interpolation method according to the locally owned user attribute to obtain a complete access structure tree. Specifically, the process of solving the complete access structure tree is similar to the process of constructing the access structure tree in the above embodiment, and will not be described here again.
The following describes the workflow of the blockchain system for hierarchical management and authorization of secure data provided by the present application in detail by way of specific embodiments.
FIG. 14 is a flow chart of a method for processing data authorization of a data owner of a secure data hierarchical management and authorization blockchain system, which relates to the data owner, the data consumer and the blockchain node, and comprises the following steps:
step S301: the data owner constructs user attributes (including attribute numbers, attribute values) and performs one-to-many distribution with the data consumer. Each data user has one or more different attributes (including attribute numbers and attribute values), and the user manages own attribute sets respectively and does not leak to a third party.
Step S302: the data owner constructs and computes an access structure tree. The leaf node is the authorized attribute number of each user, and the value of the father node is the result of performing polynomial interpolation on the attribute value corresponding to the attribute number of the child node. And calculating from bottom to top to obtain tree root nodes.
Step S303: the data owner performs attribute-based encryption of the data based on accessing the structure tree.
Step S304: the data owner and the plurality of blockchain nodes share the temporary key in a secret way, each blockchain node is provided with a part of the temporary key, and the corresponding relation between the temporary key number and the temporary key fragment is recorded.
Step S305: the data owner performs encryption of the access structure tree using the temporary key.
Step S306: the data owner requests the block link point for the encrypted data, the access structure tree (containing only the attribute number), and the temporary key number.
FIG. 15 is a flowchart of a method for processing a data consumer of a secure data hierarchical management and authorization blockchain system, which relates to a data consumer and a blockchain node, and comprises the following steps:
step S401: the data uses the direction block chain node to inquire the data, and the block chain node inquires the encrypted access structure tree and the temporary key number corresponding to the data.
Step S402: in the block chain node consensus process, the temporary key fragments are loaded according to the temporary key numbers, secret sharing is initiated among the nodes, and the actual access structure tree is obtained through decryption calculation.
Step S403: the block link points return the true access structure tree to the data consumer.
Step S404: the data user compares the access structure tree with the user attribute set, if the user attribute set contains the required attribute logic in the access structure tree, S405 is executed, otherwise, decryption fails, and the process is exited.
Step S405: and loading and accessing attribute values corresponding to the attribute numbers in the structure tree by the data user, and performing polynomial interpolation to obtain a root node by calculation from bottom to top.
Step S406: the data user uses the complete access structure tree to execute attribute-based decryption to obtain the original data.
FIG. 16 is a flowchart of a method for processing secure data hierarchical management and authorization for a data owner to revoke authorization control of a data consumer in a blockchain system, involving the data owner, the data consumer, and the blockchain node, comprising the steps of:
step S501: when the data owner wants to cancel the authorization control of a certain data to a certain data user, the data owner generates a new attribute (including an attribute number and an attribute value) for the data user with the reserved authority, distributes the new attribute to the data user with the reserved authority, and a user with the revoked data use authority cannot receive the new attribute.
Step S502: the data owner loads the access structure tree, calculates the attribute numbers and attribute values of the brothers nodes and the ancestor nodes of the withdrawn attribute node from bottom to top according to the new attribute, and updates the access structure tree until the tree root node.
Step S503: the data owner encrypts the original data using the new access structure tree.
Step S504: the data owner performs encryption of the access structure tree using the temporary key.
Step S505: the data owner requests to the block link point to authenticate the new encrypted data, the new access structure tree (containing only the attribute number) and the original temporary key number.
FIG. 17 is a flow chart of a method for intelligent checking and automatic trimming of cold data for a secure data hierarchical management and authorization blockchain system, involving blockchain nodes, comprising the steps of:
step S601: the block chain node scans the latest block until the block is created, and checks the change of the data version to obtain the cold data of the non-latest version, namely the block containing the last data index number.
Step S602: the last data index number is parsed from the block.
Step S603: and recording the last data index number to the data mark set to be cleaned.
Step S604: and automatically cutting corresponding data in the tamper-proof file type storage according to the data mark set to be cleaned at regular intervals.
The data management and data query method provided by the application has at least the following advantages:
1. compared with the traditional authority control table, the method has the advantages that data owners and data users are required to be bound one by one, and the patent uses the binding relation between specific data and access structure tree, so that more fine and convenient adjustment is achieved on data management.
2. Compared with the traditional authority control table which directly discloses the authority control information on the blockchain, any blockchain node can obtain the complete authority control information unilaterally, the access structure tree designed by the patent uses secret sharing encryption, and the authorization relationship between data and the user of the data user is only known by the data owner or can be known after the blockchain node with enough number participates in secret sharing decryption, so that the access structure tree corresponding to the data cannot be read or modified at will for a third party user in the blockchain. And compared with the method that a plurality of blockchain clients directly bear secret sharing and decrypting the original access structure tree, the method has the advantages that the design of bearing the task by the blockchain nodes with more sufficient computing resources, long-term online state and safer temporary key slicing storage environment is more consistent with the actual application scene, and the efficiency and the safety are higher.
3. Compared with the traditional signature verification to verify the identity of the user, the method and the device complete user attribute set distribution between the data owner and the data user, and the public information on the blockchain cannot bind the user attribute with the specific blockchain user, so that the data on the chain and the specific blockchain user have unlinkability.
4. When a data owner wants to cancel the authorization control of a data user, the data owner generates a new attribute (including an attribute number and an attribute value) for the adjusted data, calculates and updates the access structure tree from bottom to top to obtain a root node as a new key, encrypts the original data by using the new key and distributes the new attribute to users with old data use rights, and the users with the data use rights are not able to receive the new attribute. A user without new attributes will not be able to decrypt the re-encrypted data at a later query. The computational complexity of the rights revocation of the data consumer is O (log n), a relatively efficient and flexible implementation.
5. The modified block data structure introduces the fields of data index number and last data index number, can quickly search the history of data change in tamper-proof file type data storage, quickly detect out the future data, mark the past data, then execute regular cleaning in the later period, and release the storage space for the subsequent service. The method realizes the intelligent detection and automatic cutting of the expired data in the tamper-proof file type data storage, on one hand, the storage resources of the block chain are more efficiently utilized, on the other hand, the expired data cannot be inquired, and the data security is further ensured.
Fig. 18 is a schematic structural diagram of a data management device according to an embodiment of the present application, and as shown in fig. 18, the data management device according to the embodiment of the present application includes:
a first construction module 71, configured to construct, for a piece of data to be subjected to the uplink certification, an access structure tree according to a user attribute having access rights to the piece of data;
a first encryption module 72, configured to perform attribute-based encryption on the data to be subjected to the chain-up certificate according to the access structure tree, so as to obtain encrypted data corresponding to the data;
a second encryption module 73, configured to encrypt the access structure tree with the part of information hidden by using a temporary key, to obtain an encrypted access structure tree;
a sharing module 74 for sharing the temporary key to blockchain nodes through a secret sharing technique, each blockchain node having a slice of the temporary key;
and a sending module 75, configured to send the encrypted data and the encrypted access structure tree to the blockchain node, where the blockchain node is configured to authenticate the encrypted access structure tree and the encrypted data.
Specifically, the data owner associates specific data with the user attribute, and the user only meeting the specified attribute condition can decrypt the specific data, and the blockchain user not meeting the specified combined attribute condition can not decrypt the specific data, so that the data owner can master the use right of the data, and the abuse condition of the private data of the user is reduced.
In some embodiments, the sending module is further configured to:
and distributing the pre-constructed user attributes to each data using end, wherein each data using end receives at least one user attribute.
In some embodiments, the first building block is specifically configured to:
for a piece of data to be subjected to the uplink certification, constructing leaf nodes of an access structure tree according to user attributes with access rights to the piece of data, wherein each leaf node is constructed according to one user attribute, and the number of the leaf nodes is equal to the number of types of the user attributes with the access rights to the piece of data;
constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree.
In some embodiments, each user attribute includes an attribute number and an attribute value; the first construction module constructs ancestor nodes of each level of the leaf node according to a preset access control strategy, and the generation of the access structure tree comprises the following steps:
constructing polynomials to be solved corresponding to ancestor nodes of each level of the leaf node according to a preset access control strategy, wherein the number of unknown parameters in the polynomials to be solved corresponding to each ancestor node is equal to the number of child nodes of the ancestor node;
According to the attribute number and the attribute value corresponding to the child node of each ancestor node, solving the unknown parameters in the polynomial to be solved of the ancestor node by using an interpolation method to obtain the polynomial corresponding to the ancestor node;
according to the attribute number allocated to each ancestor node and the polynomial corresponding to the ancestor node, solving the attribute value of the ancestor node;
and constructing each level of ancestor nodes of the leaf node according to the attribute number and the attribute value of each ancestor node, and generating an access structure tree.
In some embodiments, the second encryption module is specifically configured to:
deleting the attribute value of each node in the access structure tree to obtain an access structure tree only containing attribute numbers;
and encrypting the access structure tree only containing the attribute numbers by using the temporary key to obtain an encrypted access structure tree.
In some embodiments, the sending module is further configured to:
and transmitting the key number of the temporary key to each blockchain node, wherein each blockchain node establishes and stores the mapping relation among the temporary key fragments owned by the node, the key number, the encrypted access structure tree and the encrypted data.
In some embodiments, the apparatus further comprises:
the third construction module is used for reconstructing user attributes with access rights to the data to be uploaded for the data to be uploaded;
the updating module is used for updating the access structure tree according to the reconstructed user attribute with the access right to the data to obtain a new access structure tree;
the first encryption module is further used for performing attribute-based encryption on the data according to the new access structure tree to obtain new encrypted data corresponding to the data;
the second encryption module is further configured to encrypt the new access structure tree with the part of information hidden by using a temporary key, so as to obtain a new encrypted access structure tree;
the sending module is further configured to send the new encrypted data and the new encrypted access structure tree to the blockchain node, where the blockchain node is configured to store the new encrypted access structure tree and the new encrypted data.
In some embodiments, the sending module is further configured to:
and distributing the reconstructed user attributes to each data use terminal with access rights, wherein each data use terminal receives at least one user attribute.
The embodiment of the apparatus provided in the embodiment of the present application may be specifically used to execute the processing flow of the embodiment of the data management method, and the functions thereof are not described herein again, and may refer to the detailed description of the embodiment of the method.
Fig. 19 is a schematic structural diagram of a data query device according to an embodiment of the present application, and as shown in fig. 19, the data query device according to the embodiment of the present application includes:
a sending module 81, configured to send a data query request to a blockchain node, where the blockchain node initiates a consensus on encrypted data requested to be queried, and in the consensus process, perform secret sharing between a temporary key fragment corresponding to the encrypted data stored in the node and other blockchain nodes, and decrypt an encrypted access structure tree corresponding to the encrypted data to obtain an access structure tree with part of information hidden;
an obtaining module 82, configured to obtain the encrypted data after consensus sent by the blockchain node and the access structure tree with part of information hidden;
a solving module 83, configured to solve, according to the locally owned user attribute, to obtain a complete access structure tree if the locally owned user attribute hits at least one access control policy in the access structure tree with part of information hidden;
And the decryption module 84 is configured to perform attribute-based decryption on the encrypted data according to the complete access structure tree, so as to obtain original data corresponding to the encrypted data.
Specifically, the data owner associates specific data with the user attribute, and the user only meeting the specified attribute condition can decrypt the specific data, and the blockchain user not meeting the specified combined attribute condition can not decrypt the specific data, so that the data owner can master the use right of the data, and the abuse condition of the private data of the user is reduced.
In some embodiments, the access structure tree is constructed from user attributes having access rights to the original data, the user attributes including an attribute number and an attribute value; and deleting the attribute values of all the nodes in the access structure tree with the hidden part of information.
In some embodiments, the solution module is specifically configured to:
if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving the attribute value of each node in the access structure tree by using a polynomial interpolation method according to the locally owned user attribute to obtain a complete access structure tree.
In some embodiments, the apparatus further comprises:
and the storage module is used for acquiring and storing the user attribute distributed to the local.
The embodiment of the apparatus provided in the embodiment of the present application may be specifically used to execute the processing flow of the embodiment of the data query method, and the functions thereof are not described herein again, and may refer to the detailed description of the embodiment of the method.
It should be noted that, the data management and data query method and device provided in the embodiments of the present application may be used in the financial field, and may also be used in any technical field other than the financial field, where the application fields of the data management and data query method and device in the embodiments of the present application are not limited.
Fig. 20 is a schematic physical structure diagram of an electronic device according to an embodiment of the present application, as shown in fig. 20, the electronic device may include: processor 901, communication interface (Communications Interface) 902, memory 903 and communication bus 904, wherein processor 901, communication interface 902 and memory 903 communicate with each other via communication bus 904. The processor 901 may invoke logic instructions in the memory 903 to perform the method described in any of the embodiments above.
Further, the logic instructions in the memory 903 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the method embodiments described above.
The present embodiment provides a computer-readable storage medium storing a computer program that causes the computer to execute the methods provided by the above-described method embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In the description of the present specification, reference to the terms "one embodiment," "one particular embodiment," "some embodiments," "for example," "an example," "a particular example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present application and are not meant to limit the scope of the invention, but to limit the scope of the invention.
Claims (16)
1. A method of data management, comprising:
for a piece of data to be subjected to the uplink certificate, constructing an access structure tree according to the user attribute with access right to the piece of data;
performing attribute-based encryption on the data to be subjected to the uplink certification according to the access structure tree to obtain encrypted data corresponding to the data;
encrypting the access structure tree with the hidden part of information by using a temporary secret key to obtain an encrypted access structure tree;
sharing the temporary secret key to blockchain nodes through a secret sharing technology, wherein each blockchain node is provided with one fragment of the temporary secret key;
and sending the encrypted data and the encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the encrypted access structure tree and the encrypted data.
2. The method according to claim 1, wherein the method further comprises:
and distributing the pre-constructed user attributes to each data using end, wherein each data using end receives at least one user attribute.
3. The method of claim 1, wherein for a piece of data to be authenticated for linking, constructing an access structure tree based on user attributes having access rights to the piece of data comprises:
for a piece of data to be subjected to the uplink certification, constructing leaf nodes of an access structure tree according to user attributes with access rights to the piece of data, wherein each leaf node is constructed according to one user attribute, and the number of the leaf nodes is equal to the number of types of the user attributes with the access rights to the piece of data;
constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree.
4. A method according to claim 3, wherein each user attribute comprises an attribute number and an attribute value; constructing ancestor nodes of each level of the leaf node according to a preset access control strategy, and generating an access structure tree comprises:
Constructing polynomials to be solved corresponding to ancestor nodes of each level of the leaf node according to a preset access control strategy, wherein the number of unknown parameters in the polynomials to be solved corresponding to each ancestor node is equal to the number of child nodes of the ancestor node;
according to the attribute number and the attribute value corresponding to the child node of each ancestor node, solving the unknown parameters in the polynomial to be solved of the ancestor node by using an interpolation method to obtain the polynomial corresponding to the ancestor node;
according to the attribute number allocated to each ancestor node and the polynomial corresponding to the ancestor node, solving the attribute value of the ancestor node;
and constructing each level of ancestor nodes of the leaf node according to the attribute number and the attribute value of each ancestor node, and generating an access structure tree.
5. The method of claim 4, wherein encrypting the access structure tree with the portion of information hidden using the temporary key to obtain an encrypted access structure tree comprises:
deleting the attribute value of each node in the access structure tree to obtain an access structure tree only containing attribute numbers;
and encrypting the access structure tree only containing the attribute numbers by using the temporary key to obtain an encrypted access structure tree.
6. The method of claim 5, wherein the method further comprises:
and transmitting the key number of the temporary key to each blockchain node, wherein each blockchain node establishes and stores the mapping relation among the temporary key fragments owned by the node, the key number, the encrypted access structure tree and the encrypted data.
7. The method according to any one of claims 1 to 6, further comprising:
reconstructing user attributes with access rights to the data to be uploaded;
updating the access structure tree according to the reconstructed user attribute with access right to the data, so as to obtain a new access structure tree;
performing attribute-based encryption on the data according to the new access structure tree to obtain new encrypted data corresponding to the data;
encrypting the new access structure tree with the hidden part of information by using a temporary key to obtain a new encrypted access structure tree;
and sending the new encrypted data and the new encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the new encrypted access structure tree and the new encrypted data.
8. The method of claim 7, wherein the method further comprises:
and distributing the reconstructed user attributes to each data use terminal with access rights, wherein each data use terminal receives at least one user attribute.
9. A method of querying data, comprising:
sending a data query request to a block chain node, wherein the block chain node initiates consensus on encrypted data requested to be queried, and in the consensus process, secret sharing is carried out between a temporary key fragment corresponding to the encrypted data stored by the node and other block chain nodes, and the encrypted access structure tree corresponding to the encrypted data is decrypted to obtain an access structure tree with part of hidden information;
acquiring the encrypted data which is sent by the block chain node and is subjected to consensus, and the access structure tree hiding part of information;
if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving to obtain a complete access structure tree according to the locally owned user attribute;
and performing attribute-based decryption on the encrypted data according to the complete access structure tree to obtain the original data corresponding to the encrypted data.
10. The method of claim 9, wherein the access structure tree is constructed from user attributes having access rights to the original data, the user attributes including an attribute number and an attribute value;
and deleting the attribute values of all the nodes in the access structure tree with the hidden part of information.
11. The method of claim 10, wherein if the locally owned user attribute hits at least one access control policy in the access structure tree that hides the partial information, then solving for the complete access structure tree based on the locally owned user attribute comprises:
if the locally owned user attribute hits at least one access control strategy in the access structure tree hiding part of the information, solving the attribute value of each node in the access structure tree by using a polynomial interpolation method according to the locally owned user attribute to obtain a complete access structure tree.
12. The method according to claim 9, wherein the method further comprises:
the user attributes distributed to the local are obtained and saved.
13. A data management apparatus, comprising:
the first construction module is used for constructing an access structure tree for data to be subjected to the uplink certification according to the user attribute with access right to the data;
The first encryption module is used for performing attribute-based encryption on the data to be subjected to the uplink certificate according to the access structure tree to obtain encrypted data corresponding to the data;
the second encryption module is used for encrypting the access structure tree with the hidden part of information by using the temporary key to obtain an encrypted access structure tree;
the sharing module is used for sharing the temporary secret key to the blockchain nodes through a secret sharing technology, and each blockchain node is provided with one fragment of the temporary secret key;
and the sending module is used for sending the encrypted data and the encrypted access structure tree to the blockchain node, wherein the blockchain node is used for storing the encrypted access structure tree and the encrypted data.
14. A data query device, comprising:
the sending module is used for sending a data query request to the block chain link node, the block chain node initiates consensus on the encrypted data requested to be queried, secret sharing is carried out between the temporary secret key fragments corresponding to the encrypted data stored by the node and other block chain nodes in the consensus process, and the encrypted access structure tree corresponding to the encrypted data is decrypted to obtain the access structure tree with part of hidden information;
The acquisition module is used for acquiring the encrypted data which is sent by the blockchain node and is subjected to consensus and the access structure tree with part of information hidden;
the solving module is used for solving and obtaining a complete access structure tree according to the locally owned user attribute if the locally owned user attribute hits at least one access control strategy in the access structure tree with the hidden part of information;
and the decryption module is used for performing attribute-based decryption on the encrypted data according to the complete access structure tree to obtain the original data corresponding to the encrypted data.
15. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 8 or 9 to 12 when the computer program is executed.
16. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 8 or 9 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310217258.6A CN116204923A (en) | 2023-03-08 | 2023-03-08 | Data management and data query methods and devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310217258.6A CN116204923A (en) | 2023-03-08 | 2023-03-08 | Data management and data query methods and devices |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116204923A true CN116204923A (en) | 2023-06-02 |
Family
ID=86511045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310217258.6A Pending CN116204923A (en) | 2023-03-08 | 2023-03-08 | Data management and data query methods and devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116204923A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117407849A (en) * | 2023-12-14 | 2024-01-16 | 四川省电子产品监督检验所 | Industrial data security protection method and system based on industrial Internet technology |
-
2023
- 2023-03-08 CN CN202310217258.6A patent/CN116204923A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117407849A (en) * | 2023-12-14 | 2024-01-16 | 四川省电子产品监督检验所 | Industrial data security protection method and system based on industrial Internet technology |
| CN117407849B (en) * | 2023-12-14 | 2024-02-23 | 四川省电子产品监督检验所 | Industrial data security protection method and system based on industrial Internet technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109144961B (en) | Authorization file sharing method and device | |
| CN108462568B (en) | Block chain-based secure file storage and sharing method and cloud storage system | |
| CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
| CN112019591B (en) | Cloud data sharing method based on block chain | |
| CN110033258B (en) | Service data encryption method and device based on block chain | |
| CN114065265B (en) | Fine-grained cloud storage access control method, system and equipment based on blockchain technology | |
| Premkamal et al. | A new verifiable outsourced ciphertext-policy attribute based encryption for big data privacy and access control in cloud | |
| US20190065764A1 (en) | Secret Data Access Control Systems and Methods | |
| CN109768987A (en) | A kind of storage of data file security privacy and sharing method based on block chain | |
| CN114730420A (en) | System and method for generating signatures | |
| CN109450843B (en) | SSL certificate management method and system based on block chain | |
| US8806206B2 (en) | Cooperation method and system of hardware secure units, and application device | |
| CN109146479B (en) | Data encryption method based on block chain | |
| CN111614680B (en) | CP-ABE-based traceable cloud storage access control method and system | |
| US20160072772A1 (en) | Process for Secure Document Exchange | |
| CN113065961A (en) | Power block chain data management system | |
| CN115296838B (en) | Block chain-based data sharing method, system and storage medium | |
| CN115883214A (en) | Electronic medical data sharing system and method based on alliance chain and CP-ABE | |
| CN106326666A (en) | Health record information management service system | |
| CN116204923A (en) | Data management and data query methods and devices | |
| Yan et al. | Traceable and weighted attribute-based encryption scheme in the cloud environment | |
| CN107360252B (en) | Data security access method authorized by heterogeneous cloud domain | |
| CN115250205B (en) | Data sharing method and system based on alliance chain, electronic device and storage medium | |
| CN109146684B (en) | Decentralized transaction verification method | |
| CN107317823A (en) | Encryption method and system in a kind of cloud storage system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |