CN116842546A

CN116842546A - Distributed data access authorization and data service method and device, equipment and medium

Info

Publication number: CN116842546A
Application number: CN202310864045.2A
Authority: CN
Inventors: 傅德谦; 王利; 李晓玲; 刘佳
Original assignee: Linyi Dima Block Chain Network Technology Co ltd; Shandong Modern Logistics Technology Industry Research Institute Co ltd; Linyi University
Current assignee: Linyi Dima Block Chain Network Technology Co ltd; Shandong Modern Logistics Technology Industry Research Institute Co ltd; Linyi University
Priority date: 2023-07-14
Filing date: 2023-07-14
Publication date: 2023-10-03

Abstract

The embodiment of the application discloses a distributed data access authorization and data service method, a device, equipment and a medium. The method comprises the following steps: the data application end sends identity verification information to the blockchain, and the blockchain carries out identity authentication on the data application end according to the identity certificate; after the identity authentication is successful, the data application end sends a data access request to the data providing end through a blockchain, the blockchain authorizes the data access request of the data application end by utilizing an intelligent contract, and authorization information is stored in the blockchain; after a data service request sent by a data application end is authorized by a blockchain intelligent contract, a data providing end uses Handle or OBDA to search data, and under the condition that corresponding data is searched, the data is encrypted and then sent to the data application end. The application can meet the controllable and automatic data exchange with zero trust among large-scale distributed users, and provides better support for data-driven business collaboration and business innovation.

Description

Distributed data access authorization and data service method and device, equipment and medium

Technical Field

The application relates to a distributed data access authorization and data service method, a device, equipment and a medium, and belongs to the technical field of information. .

Background

Currently, with the increasing growth of data and the complexity of application scenarios, more and more data is stored in different storage media at different locations, and the data often needs to be accessed and used by multiple users. However, the conventional data access authorization method often has security and efficiency problems. Thus, a new method of distributed data access authorization and data services is needed.

Disclosure of Invention

In order to solve the technical problems, embodiments of the present application provide a method, an apparatus, a device, and a medium for distributed data access authorization and data service, so as to improve efficiency and security of data access authorization.

Other features and advantages of the application will be apparent from the following detailed description, or may be learned by the practice of the application.

According to an aspect of an embodiment of the present application, there is provided a distributed data access authorization and data service method, including: the data application end sends identity verification information to a blockchain, wherein the identity verification information comprises an identity certificate, and the blockchain carries out identity authentication on the data application end according to the identity certificate;

After the identity authentication of the data application end is successful, the data application end sends a data access request to a data providing end through a block chain, the block chain authorizes the data access request of the data application end by utilizing an intelligent contract and stores authorization information in the block chain, and the data providing end determines the access authority of the data application end according to the data access request and the authorization information stored in the block chain;

the data providing terminal searches data by using Handle or OBDA according to a data service request sent by the data application terminal under the condition that the data application terminal has access right, encrypts the data under the condition that the corresponding data is searched, and sends the encrypted data to the data application terminal;

and the application terminal receives the encrypted data and decrypts the encrypted data to obtain the data to be accessed.

Further, a log record is stored in the blockchain, wherein the log record comprises a source of a data access request, time, a request parameter and a processing result.

Further, the blockchain performs identity authentication on the data application terminal according to the identity certificate, and specifically includes:

The blockchain performs identity authentication on the data application end according to the identity authentication data stored on the blockchain, wherein the identity authentication data comprises a plurality of identity certificates, and the identity certificates are generated through identity information provided when the user end registers as the data application end on the blockchain;

under the condition that the identity authentication data has the same identity certificate as the identity certificate of the data application end, the data application end succeeds in identity authentication;

and under the condition that the identity authentication data does not have the identity certificate identical to the identity certificate of the data application end, the identity authentication of the data application end is unsuccessful.

Further, the data providing end stores a database, each digital object included in the database corresponds to a unique identifier, and the digital object includes a data service and a data set;

the data service request comprises a unique identifier, and the data providing end performs data searching in a database according to the unique identifier:

after a data service request of the data application end is authorized by a blockchain intelligent contract, the data providing end uses a Handle to find a digital object corresponding to the unique identifier, encrypts the digital object as corresponding data and sends the encrypted data to the data application end;

Under the condition that data is not found in a preset time range, sending first return information to the data application end, wherein the first return information is used for indicating that a request is overtime;

if the data is not found, sending second return information to the data application end, wherein the second return information is used for indicating that the request is invalid;

when the data service request of the data application end is not authorized by the blockchain intelligent contract, namely related authorization information is not stored in the blockchain, third return information is sent to the data application end, and the third return information is used for indicating that the authority is insufficient.

Further, the unique identifier is updated, renamed or deleted to manage the digital object.

Further, the data providing end stores a database, and the data providing end integrates part or all of data in the database into a unified semantic graph, wherein different data resources can be identified, classified, connected and inquired in the semantic graph;

the data service request comprises semantic query information, and the data providing end performs data search in the database according to the semantic query information:

After the data service request of the data application end is authorized by the blockchain intelligent contract, the data providing end uses the OBDA to find the data resource corresponding to the semantic query information on the basis of an ontology model describing the semantics and the relation among the data distributed among different data sources, encrypts the data resource as corresponding data and sends the encrypted data resource to the data application end;

Further, the data providing end encrypts the data by using the public key of the data application end, and the encrypted data can only be decrypted by the private key corresponding to the public key.

According to an aspect of an embodiment of the present application, there is provided a distributed data access authorization and data service apparatus, including:

the data application terminal is configured to send identity verification information to the blockchain, the identity verification information comprises an identity certificate, the blockchain carries out identity authentication on the data application terminal according to the identity certificate, and after the identity authentication of the data application terminal is successful, the data application terminal sends a data access request to the data providing terminal, receives encrypted data and decrypts the encrypted data to obtain the data to be accessed;

the data providing end is configured to determine the access authority of the data application end according to the data access request and the authorization information stored in the blockchain, and when the data application end is determined to have the access authority, the data providing end searches data by using Handle or OBDA according to the data service request sent by the data application end, encrypts the data and sends the encrypted data to the data application end when the corresponding data is found.

According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: a controller; and a memory for storing one or more programs that, when executed by the controller, cause the controller to implement the distributed data access authorization and data service method described above.

According to an aspect of the embodiments of the present application, there is also provided a computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor of a computer, cause the computer to perform the above-described distributed data access authorization and data service method.

According to an aspect of embodiments of the present application, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the distributed data access authorization and data service method described above.

In the technical scheme provided by the embodiment of the application, the method has at least the following advantages:

safety: the authenticity of the identity and the non-tamper property of the data are ensured through the trusted identity verification of the blockchain and the alliance access authorization mechanism, and the risk of tampering or theft of the data is avoided.

High efficiency: by adopting the Handle or OBDA data service method, the user request can be responded quickly, and the data access efficiency is improved.

Scalability: distributed data access authorization and data services can be deployed on multiple nodes, and the system scale can be dynamically adjusted according to the increase of data volume and user requirements, so that higher concurrency and better performance are realized.

Reliability: distributed data access authorization and data services may employ redundancy and backup mechanisms to improve the reliability of the system. When a certain node fails, the system can be automatically switched to other nodes to ensure the normal operation of the system.

Manageability: the distributed data access authorization and data service can manage and monitor the data service through a centralized management mechanism, so that the problem of the system can be found and solved in time, and the manageability of the system is improved.

High efficiency: the distributed data access authorization and data service can store the data authorization information on nearby nodes, and reduce data transmission and network delay, so that the data access efficiency and response speed are improved.

Transparency: all access authorization and data service records are recorded by using the blockchain technology, so that the transparency and traceability of the data service are ensured.

Flexibility: the distributed data access authorization adopts a alliance access authorization mechanism, and the access authorization range and the authority level can be flexibly adjusted according to specific requirements.

In a word, the distributed data access authorization and data service can be widely applied to data access authorization and data service scenes which need across institutions and fields through the advantages of expandability, reliability, security, manageability, transparency, flexibility, high efficiency and the like.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is evident that the drawings in the following description are only some embodiments of the present application and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:

FIG. 1 is a schematic illustration of an implementation environment in which the present application is directed;

FIG. 2 is a flow chart illustrating a distributed data access authorization and data service method according to an exemplary embodiment of the present application;

FIG. 3 is a flowchart of authentication shown in an exemplary embodiment of the present application;

FIG. 4 is a flow chart of a data service shown in another exemplary embodiment of the application;

FIG. 5 is a flow chart of a data service shown in another exemplary embodiment of the application;

FIG. 6 is a schematic diagram illustrating the structure of a distributed data access authorization and data service apparatus according to an exemplary embodiment of the present application;

fig. 7 is a schematic diagram of a computer system of an electronic device according to an exemplary embodiment of the present application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.

In the present application, the term "plurality" means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., a and/or B may represent: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

Referring first to fig. 1, fig. 1 is a schematic diagram of an implementation environment according to the present application. The implementation environment comprises a data application end 100 and a data providing end 200, wherein the data application end 100 and the data providing end 200 communicate through a wired or wireless network.

The data application terminal 100 and the data provider terminal 200 may serve as participants, respectively perform identity registration for the data application terminal and the data provider terminal through the blockchain system, and provide identity information and identity verification materials. Encryption, anonymization and other technologies are needed to be adopted in the process so as to ensure that identity information and access rights are fully protected. When the identity information of the participant changes, the identity update is required so that the blockchain system can update the identity information and the access rights of the participant.

Referring to fig. 2, fig. 2 is a flowchart illustrating a distributed data access authorization and data service method according to an exemplary embodiment of the present application, which is performed by a data application end and a data provider end that establish communication, where the data application end and the data provider end are implemented as a device having at least data processing and transmission. As shown in fig. 2, the method at least includes steps S201 to S204, which are described in detail as follows:

step S201, the data application end sends identity verification information to a blockchain, wherein the identity verification information comprises an identity certificate, and the blockchain carries out identity authentication on the data application end according to the identity certificate.

The step is an identity verification step, namely that only users registered in a blockchain system can be successfully authenticated. The user needs to be authenticated before applying for access to the data.

Referring to fig. 3, fig. 3 is an authentication flow chart according to an exemplary embodiment of the present application, further, the blockchain performs identity authentication on the data application terminal according to an identity certificate, which specifically includes:

Step S301, the blockchain performs identity authentication on the data application end according to identity authentication data stored on the blockchain, wherein the identity authentication data comprises a plurality of identity certificates, and the identity certificates are generated through identity information provided when a user end registers as the data application end on the blockchain;

step S302, under the condition that the identity authentication data has the same identity certificate as the identity certificate of the data application end, the identity authentication of the data application end is successful;

step S303, in the case that the identity authentication data does not have the same identity certificate as the identity certificate of the data application end, the identity authentication of the data application end is unsuccessful.

Step S202, after the identity authentication of the data application end is successful, the data application end sends a data access request to a data providing end through a blockchain, the blockchain authorizes the data access request of the data application end by utilizing an intelligent contract and stores authorization information in the blockchain, and the data providing end determines the access authority of the data application end according to the data access request and the authorization information stored in the blockchain.

The alliance access authorization mechanism utilizes the intelligent contract to authorize the data access request of the data application end, and controls the access authority of the user to the data. Only authorized users can access the data service, and the authorization information is stored in the blockchain, so that the reliability and the non-tamper property of the authorization information are ensured.

Specifically, the alliance access authorization mechanism is an access authorization mode based on an alliance chain and is used for controlling the access authority of the data resource. In this mechanism, only authorized members can access the data resource, and other unauthorized members cannot.

The implementation of the federated access authorization mechanism is based on blockchain technology and smart contracts. In this mechanism, the identity of the authorized member and access rights information are stored on the blockchain, and the smart contract is used to implement the logic of access authorization. When a member needs to access a data resource, it needs to submit an access request and provide its own authentication information. The intelligent contract judges whether the member is authorized to access the data resource according to the information in the request, and generates a corresponding access authorization token according to the authorization level, timeliness and other requirements.

The alliance access authorization mechanism can effectively protect the security and privacy of the data resources and prevent unauthorized members from accessing and tampering with the data. Meanwhile, the mechanism can also support fine-granularity access control, realize differentiated access authority management among different members, and improve the utilization efficiency and flexibility of data resources.

Step S203, when the data providing end determines that the data applying end has the access right, according to the data service request sent by the data applying end, the data providing end uses Handle or OBDA to search data, and encrypts the data and sends the encrypted data to the data applying end when the corresponding data is found.

The method comprises the steps of providing data service and returning data in a targeted manner, wherein after access authorization is obtained, a data requester can access the data through a Handle (or OBDA) data service. The Handle (or OBDA) data service is an efficient data service method, and can quickly respond to user requests, so that the data access efficiency is improved.

Both Handle and OBDA are available for data services. They are identifier-based systems that can be used to name, address, access and manage distributed resources, including data, services, applications, and the like.

In the distributed data access authorization and data service method, handle and OBDA can be used for identifying and managing data resources, providing data service, and controlling data access authority through a alliance access authorization mechanism so as to ensure the safety and privacy of data.

Handle is a distributed naming system that can provide unique, persistent, manageable identifiers for digital objects. In the present invention, handle is used to implement distributed data services.

In particular, handle provides a globally unique identifier that can be used to identify and locate digital objects. In the present invention, a digital object may be a data service, a data collection, or other data resource. Distributed provisioning of data services may be achieved by associating a digital object with a unique Handle identifier.

When a user needs to access a particular data service, the Handle identifier of the data service may be used to locate the service. With the support of the federation access authorization mechanism, only authorized users can access the data service. Meanwhile, since Handle provides a persistent identifier, a user can access a data service through the same Handle identifier even if the provider of the data service changes.

In addition, the Handle also provides a manageable identifier, and can update, rename, delete and the like the digital object when needed. This makes management of the data services more flexible and efficient.

In summary, the role of Handle in the present application is to provide a unique, persistent, manageable identifier for a digital object, enabling distributed data services. By combining with the alliance access authorization mechanism, the security and controllability of the data service can be ensured.

Referring to fig. 4, fig. 4 is a flowchart of a data service according to an exemplary embodiment of the present application, which specifically includes:

in step S401, the data provider stores a database, where each digital object included in the database corresponds to a unique identifier, and the digital object includes a data service and a data set.

In step S402, the data service request includes a unique identifier, and the data providing end performs data searching in a database according to the unique identifier.

Step S403, after the data service request of the data application end is authorized by the blockchain intelligent contract, the data providing end uses Handle to find the digital object corresponding to the unique identifier, and encrypts the digital object as corresponding data and sends the encrypted data to the data application end.

Step S404, under the condition that the data is not found in the preset time range, sending first return information to the data application terminal, wherein the first return information is used for indicating that the request is overtime.

And step S405, sending second return information to the data application terminal under the condition that the data is not found, wherein the second return information is used for indicating that the request is invalid.

Step S406, when the data service request of the data application end is not authorized by the blockchain intelligent contract, that is, the blockchain does not store the related authorization information, third return information is sent to the data application end, where the third return information is used to indicate that the authority is insufficient.

OBDA is a semantic-based data service providing mode, and can provide more intelligent and efficient services in data access and data query. In the present invention, OBDA is used to implement distributed data services.

In particular, OBDA utilizes the technology of ontologies to integrate different data sources and data into a unified semantic graph, forming a complex, multidimensional, semantically data network. In this semantic graph, different data resources can be identified, categorized, connected, and queried.

When a user needs to access a particular data service, the semantic queries provided by the OBDA can be used to quickly locate and obtain the required data resources. With the support of the federation access authorization mechanism, only authorized users can access the data service. Meanwhile, as the OBDA has high intelligence and expandability, more complex inquiry and analysis can be performed on the data resources, and more accurate and efficient data service is provided for users.

In addition, the OBDA can also utilize the knowledge graph technology to carry out pretreatment works such as data quality control, data complement, cleaning and the like. This ensures the quality and reliability of the data service.

In short, the OBDA has the function of integrating different data resources into a unified semantic graph through the knowledge graph technology, and providing more intelligent and efficient service for data access and query. By combining with the alliance access authorization mechanism, the security and controllability of the data service can be ensured. Meanwhile, the OBDA can also control and preprocess the quality of the data, and improve the quality and reliability of the data service.

Referring to fig. 5, fig. 5 is a flowchart of a data service according to another exemplary embodiment of the present application, which specifically includes:

in step S501, the data provider stores a database, and the data provider integrates part or all of the data in the database into a unified semantic graph, where different data resources can be identified, classified, connected and queried.

Step S502, the data service request includes semantic query information, and the data providing end performs data searching in the database according to the semantic query information.

Step S503, after the data service request of the data application end is authorized by the blockchain intelligent contract, the data providing end uses the OBDA to find the data resource corresponding to the semantic query information based on the ontology model describing the semantics and the relations among the data distributed among the different data sources, and encrypts the data resource as the corresponding data and then sends the encrypted data resource to the data application end.

Step S504, under the condition that the data is not found in the preset time range, sending first return information to the data application terminal, wherein the first return information is used for indicating that the request is overtime.

In step S505, if no data is found, a second return message is sent to the data application end, where the second return message is used to indicate that the request is invalid.

Step S506, when the data service request of the data application end is not authorized by the blockchain intelligent contract, that is, the blockchain does not store the related authorization information, third return information is sent to the data application end, where the third return information is used to indicate that the authority is insufficient.

In some embodiments, the data provider processes data service requests, including resolution, validation, response, etc. of the requests, while handling exceptions, such as request timeouts, request invalidations, rights inadequacies, etc.

In some embodiments, the data providing end performs quality control and preprocessing on the data, and ensures the accuracy and reliability of the data. And returning the requested data result to the user, and simultaneously ensuring the safety and privacy protection of the data.

In some embodiments, the data providing end encrypts the data by using the public key of the data applying end, and the encrypted data can only be decrypted by the private key corresponding to the public key.

Finally, in step S204, the application end receives the encrypted data and decrypts the encrypted data to obtain the data to be accessed.

In some embodiments, a log record is stored in the blockchain, the log record including a source of the data access request, a time, a request parameter, and a processing result.

The relevant information of each data service request, including the source of the request, time, request parameters, processing results, etc., is recorded by log records for subsequent analysis and management. All access authorization and data service records are recorded, and transparency and traceability of the data access authorization and the data service are ensured.

Therefore, the distributed data access authorization and data service method based on the blockchain realizes high-efficiency safe access and control of the data service through the trusted identity authentication, the alliance access authorization mechanism and the Handle (or OBDA) data service, has good practicability and economic benefit, and is suitable for various distributed data access authorization and data service scenes.

Another aspect of the present application further provides a distributed data access authorization and data service apparatus, as shown in fig. 6, the apparatus 600 includes:

the data application end 601 is configured to send identity verification information to a blockchain, the identity verification information comprises an identity certificate, the blockchain performs identity verification on the data application end according to the identity certificate, and after the data application end succeeds in identity verification, the data application end sends a data access request to the data providing end through the blockchain, receives encrypted data and decrypts the encrypted data to obtain the data to be accessed;

the data providing end 602 is configured to determine whether access of the data applying end is allowed according to the data access request and authorization information stored in the blockchain, and if it is determined that the data applying end has access authority, the data providing end uses Handle or OBDA to search data according to a data service request sent by the data applying end, and if corresponding data is found, encrypts the data and sends the encrypted data to the data applying end.

In another embodiment, the blockchain uses an intelligent contract to realize authorization, the data application terminal initiates a data access request to the data providing terminal through the blockchain, and the intelligent contract performs semantic reasoning according to the public data access rule and the personal customized data access rule provided by the data providing terminal to determine whether the data access request is allowed or not, so as to determine whether to authorize the data access request or not.

In another embodiment, a log record is stored in the blockchain, the log record including the source of the data access request, the time, the request parameters, and the processing results.

In another embodiment, the data provider 602 is configured to:

carrying out identity authentication on the data application end according to the identity authentication data stored on the blockchain, wherein the identity authentication data comprises a plurality of identity certificates which are generated through identity information provided when the user end registers as the data application end on the blockchain;

In another embodiment, the data provider stores a database, each digital object included in the database corresponds to a unique identifier, and the digital object includes a data service and a data set;

In another embodiment, the data provider 602 is configured to implement management of digital objects by performing update, rename, or delete operations on the unique identifiers.

In another embodiment, the data providing end stores a database, and the data providing end integrates part or all of data in the database into a unified semantic graph, wherein different data resources can be identified, classified, connected and queried;

In another embodiment, the data provider 602 is configured to encrypt data using a public key of the data applicant, and the encrypted data can only be decrypted by a private key corresponding to the public key.

It should be noted that, the distributed data access authorization and data service apparatus provided in the foregoing embodiments and the distributed data access authorization and data service method provided in the foregoing embodiments belong to the same concept, and the specific manner in which each module and unit perform the operation has been described in detail in the method embodiment, which is not repeated herein.

Another aspect of the present application also provides an electronic device, including: a controller; and a memory for storing one or more programs that when executed by the controller perform the methods identified in the various embodiments described above.

Referring to fig. 7, fig. 7 is a schematic diagram of a computer system of an electronic device according to an exemplary embodiment of the present application, which is suitable for implementing the electronic device according to the embodiment of the present application.

It should be noted that, the computer system 700 of the electronic device shown in fig. 7 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

As shown in fig. 7, the computer system 700 includes a central processing unit (Central Processing Unit, CPU) 701 that can perform various appropriate actions and processes, such as performing the methods in the above-described embodiments, according to a program stored in a Read-Only Memory (ROM) 702 or a program loaded from a storage section 708 into a random access Memory (Random Access Memory, RAM) 703. In the RAM 703, various programs and data required for the system operation are also stored. The CPU 701, ROM 702, and RAM 703 are connected to each other through a bus 704. An Input/Output (I/O) interface 705 is also connected to bus 704.

The following components are connected to the I/O interface 705: an input section 706 including a keyboard, a mouse, and the like; an output section 707 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 77 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 77 as needed so that a computer program read out therefrom is mounted into the storage section 708 as needed.

In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. When executed by a Central Processing Unit (CPU) 701, performs the various functions defined in the system of the present application.

It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.

Another aspect of the application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a distributed data access authorization and data service method as before. The computer-readable storage medium may be included in the electronic device described in the above embodiment or may exist alone without being incorporated in the electronic device.

Another aspect of the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the distributed data access authorization and data service method provided in the above-described embodiments.

According to an aspect of the embodiment of the present application, there is also provided a computer system including a central processing unit (Central Processing Unit, CPU) which can perform various appropriate actions and processes, such as performing the method in the above-described embodiment, according to a program stored in a Read-Only Memory (ROM) or a program loaded from a storage section into a random access Memory (Random Access Memory, RAM). In the RAM, various programs and data required for the system operation are also stored. The CPU, ROM and RAM are connected to each other by a bus. An Input/Output (I/O) interface is also connected to the bus.

The following components are connected to the I/O interface: an input section including a keyboard, a mouse, etc.; an output section including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, and a speaker, and the like; a storage section including a hard disk or the like; and a communication section including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section performs communication processing via a network such as the internet. The drives are also connected to the I/O interfaces as needed. Removable media such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, and the like are mounted on the drive as needed so that a computer program read therefrom is mounted into the storage section as needed.

The foregoing is merely illustrative of the preferred embodiments of the present application and is not intended to limit the embodiments of the present application, and those skilled in the art can easily make corresponding variations or modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be defined by the claims.

Claims

1. A method for distributed data access authorization and data services, the method comprising:

The data application end sends identity verification information to a blockchain, wherein the identity verification information comprises an identity certificate, and the blockchain carries out identity authentication on the data application end according to the identity certificate;

2. The method of claim 1, wherein authorization is accomplished in the blockchain using smart contracts, parameters of which include source, object, time of data access request and processing result of return request.

3. The method for distributed data access authorization and data service according to claim 1, wherein the blockchain performs identity authentication on the data application terminal according to an identity certificate, and specifically comprises:

4. A distributed data access authorization and data service method according to claim 3, wherein the data provider stores a database, each digital object included in the database having a unique identifier, the digital object including a data service and a data set;

5. The method of claim 4, wherein the management of the digital objects is achieved by performing an update, rename or delete operation on the unique identifier.

6. The distributed data access authorization and data service method according to claim 1, wherein the data providing end stores a database, and the data providing end integrates part or all of the data in the database into a unified semantic graph, wherein different data resources can be identified, classified, connected and queried in the semantic graph;

7. A distributed data access authorization and data service method according to any one of claims 1 to 6, wherein the data provider encrypts data using a public key of the data applicant, the encrypted data being decryptable only by a private key corresponding to the public key.

8. A distributed data access authorization and data service apparatus, comprising:

the data application end is configured to send identity verification information to the blockchain, the identity verification information comprises an identity certificate, the blockchain carries out identity authentication on the data application end according to the identity certificate, and after the data application end succeeds in identity authentication, the blockchain sends a data access request to the data providing end, receives encrypted data and decrypts the encrypted data to obtain the data to be accessed;

9. An electronic device, comprising: a controller; a memory for storing one or more programs that, when executed by the controller, cause the controller to implement the distributed data access authorization and data services method of any of claims 1-7.

10. A computer readable storage medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the distributed data access authorization and data service method of any of claims 1 to 7.