CN117499059A - Access control system, method, apparatus, and computer-readable storage medium - Google Patents

Access control system, method, apparatus, and computer-readable storage medium Download PDF

Info

Publication number
CN117499059A
CN117499059A CN202210875971.5A CN202210875971A CN117499059A CN 117499059 A CN117499059 A CN 117499059A CN 202210875971 A CN202210875971 A CN 202210875971A CN 117499059 A CN117499059 A CN 117499059A
Authority
CN
China
Prior art keywords
service
result
provable
zkp
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210875971.5A
Other languages
Chinese (zh)
Inventor
竹勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202210875971.5A priority Critical patent/CN117499059A/en
Priority to PCT/CN2023/106989 priority patent/WO2024022110A1/en
Publication of CN117499059A publication Critical patent/CN117499059A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an access control system, an access control method, an access control device and a computer readable storage medium, wherein the access control system comprises a service request device, a service providing device and a position providing device, wherein the service providing device is connected with the service request device and is used for receiving a service request and an authorized inquiry identifier and generating constraint conditions according to the service request and the authorized inquiry identifier; the position providing device is connected with the service providing device and is used for receiving constraint conditions and obtaining a provable result based on zero knowledge proof according to the constraint conditions; the service providing device is further used for verifying the provable result to obtain a verification result, and judging whether to provide the service based on the position for the service request device according to the verification result. The invention can avoid the possible counterfeit or falsification risks of the data owners, and effectively ensure the rights and interests of the service provider based on the location service.

Description

Access control system, method, apparatus, and computer-readable storage medium
Technical Field
Embodiments of the present invention relate to, but are not limited to, the field of location services and network security technologies, and in particular, to an access control system, method, apparatus, and computer readable storage medium.
Background
In the related art in the field of access control based on location information, personal track information is stored by encrypting a chain through a blockchain device, and then a verifier asks a data owner to prove the personal track of the personal track information, and the data owner calculates a provable result on a personal terminal after acquiring the personal location information from the blockchain. However, when the data owner presents the verification result to the verifier on the personal terminal, it is difficult for the verifier to verify the possible risk of impersonation or tampering of the data owner.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the invention provides an access control system, an access control method, access control equipment and a computer readable storage medium, which can avoid the possible counterfeiting or falsification risks of a data owner and effectively ensure the benefits of a service provider based on location services.
In a first aspect, an embodiment of the present invention provides an access control system, including:
the service request equipment is used for sending a service request and an authorization inquiry identifier;
the service providing device is connected with the service request device and is used for receiving the service request and the authorized inquiry identification, generating constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification and outputting the constraint conditions;
The position providing device is connected with the service providing device and is used for receiving the constraint condition, obtaining a provable result based on zero knowledge proof according to the constraint condition and outputting the provable result to the service providing device; the service providing device is further configured to perform verification processing on the provable result to obtain a verification result, and determine whether to provide a location-based service for the service request device according to the verification result, where the provable result does not include location data of the service request device.
In a second aspect, an embodiment of the present invention further provides an access control method, applied to a service request device, where the method includes:
sending a service request and an authorized inquiry identifier to a service providing device, so that the service providing device generates constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier and outputs the constraint conditions to a position providing device;
and receiving a location-based service from the service providing device, wherein the location-based service is transmitted after the service device verifies a provable result provided by the location providing device, the provable result being obtained by the location providing device according to the constraint condition based on zero knowledge proof, and the provable result does not comprise location data of the service requesting device.
In a third aspect, an embodiment of the present invention further provides an access control method, applied to a service providing device, where the method includes:
receiving a service request and an authorized inquiry identifier of a service request device, and obtaining constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier;
transmitting the constraint condition to a position providing device so that the position providing device obtains a provable result based on zero knowledge proof according to the constraint condition, wherein the provable result does not comprise position data of the service request device;
receiving the provable result sent by the position providing device, verifying the provable result to obtain a verification result, and judging whether to provide a position-based service for the service request device according to the verification result;
and if the judgment result is yes, sending the service based on the position.
In a fourth aspect, an embodiment of the present invention further provides an access control method, applied to a location providing device, where the method includes:
obtaining constraint conditions of zero knowledge proof from service providing equipment, and obtaining a provable result based on the zero knowledge proof according to the constraint conditions, wherein the provable result does not comprise position data of the service requesting equipment;
And outputting the provable result to the service providing device so that the service providing device can carry out verification processing on the provable result to generate a verification result, and judging whether to provide the service request device with the service based on the position according to the verification result.
In a fifth aspect, an embodiment of the present invention further provides an access control apparatus, including: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing when executing the computer program:
the access control method as described in the second aspect;
or,
the access control method according to the third aspect described above;
or,
the access control method according to the fourth aspect described above.
In a sixth aspect, embodiments of the present invention also provide a computer-readable storage medium storing computer-executable instructions for:
performing the access control method as described in the second aspect above;
or,
performing the access control method as described in the third aspect above;
or,
the access control method as described in the fourth aspect above is performed.
The embodiment of the invention comprises the following steps: the data owner sends a service request and an authorization query identifier to the service providing equipment through the service request equipment; the service providing device is connected with the service request device to receive the service request and the authorized inquiry identification, generate constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification, and output the constraint conditions to the position providing device; the position providing device is connected with the service providing device to receive the constraint condition, inquire the position data of the service request device according to the constraint condition, perform zero knowledge proof on the constraint condition and the position data to obtain a provable result, and output the provable result to the service providing device; the service providing device is further used for verifying the provable result to obtain a verification result, and providing the service based on the position for the service request device according to the verification result. Compared with the related art, the access control system of the embodiment of the invention has the advantages that the data owner authorizes the service providing equipment through the service request equipment and performs zero knowledge proof on constraint conditions and position data, so that the possible counterfeit or falsification risks of the data owner can be avoided, and the rights and interests of the service provider providing the position-based service are effectively ensured; and new trusted equipment is not required to be introduced, the result can be proved to not comprise the position data of the service request equipment, the personal privacy data can be protected and the reliability of the calculation integrity can be ensured based on the existing access network, and the cost is further reduced.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate and do not limit the invention.
FIG. 1 is a schematic diagram of an access control system according to an embodiment of the first aspect of the present invention;
FIG. 2 is a schematic diagram of an access control system according to an embodiment of the first aspect of the present invention;
FIG. 3 is a schematic diagram of an access control system based on cellular network user profiles provided in accordance with an embodiment of the first aspect of the present invention;
FIG. 4 is a schematic diagram of a configuration of a user access location based rights assessment system according to another embodiment of the first aspect of the present invention;
FIG. 5 is a flow chart of an access control method provided by one embodiment of the second aspect of the present invention;
FIG. 6 is a flow chart of an access control method according to an embodiment of the third aspect of the present invention;
FIG. 7 is a flow chart illustrating an acquisition constraint provided by another embodiment of the third aspect of the present invention;
FIG. 8 is a flowchart of obtaining a verification result according to another embodiment of the third aspect of the present invention;
FIG. 9 is a schematic flow chart of a service module according to another embodiment of the third aspect of the present invention for processing a verification result;
FIG. 10 is a flow chart of a process for verifying a provable result provided by another embodiment of the third aspect of the present invention;
FIG. 11 is a schematic flow chart of providing location-based services to a service request device according to another embodiment of the third aspect of the present invention;
FIG. 12 is a flow chart of an access control method provided by an embodiment of the fourth aspect of the present invention;
FIG. 13 is a flow chart of obtaining provable results provided by another embodiment of the fourth aspect of the invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In a conventional location-based access control system, taking signal positioning of a wireless access network in a conventional cellular network as an example, cell identification positioning of a user mobile phone terminal is a basic positioning function, each cell in a base station has a relatively fixed coverage area and a relatively fixed number, and the simplest positioning method is to position according to the cell accessed by the terminal. The base station measures the measurement result fed back by the positioning signal receiving terminal, reports the information to the positioning resolving engine, then the positioning engine calculates the position coordinate of the terminal according to the measurement information, sends the position coordinate to the positioning platform, and finally transmits the position coordinate to various position-based applications. Other various access network scenarios such as satellite based positioning or indoor positioning based techniques are also similar principles. Such a conventional access control system based on location in an access network requires that a personal data owner send a request to a data platform of the access network, the data platform returns personal location track information under a certain time and space, and the personal data owner displays the plaintext data in exchange for a location-based service.
However, in the case that the conventional location-based access control system cannot prove the computational integrity, the data owner still has to unconditionally trust the data platform of the access network, and in fact, the data platform faces risks of error in results caused by unintentional errors in the processing process, falsification of computational processes and results caused by intentional cheating, attack and control by malicious attackers, and the like; and the data owner must trade the corresponding position-based service by displaying the position track information of the individual, thus sacrificing the data privacy of the individual; in addition, the service provider providing the location service can only view but cannot verify, so that the owner of the data can submit illegal certificates through forging and the like, and the benefit of the service provider cannot be protected.
In the field of access control based on location information, the related technology provides a zero knowledge proof mode based on a blockchain, personal track information is encrypted and stored in a uplink through a blockchain device, then a verifier asks a data owner to prove the personal track of the personal track information, and the data owner obtains the personal location information from the blockchain and calculates a provable result on a personal terminal. However, when the data owner presents the verification result to the verifier on the personal terminal, it is difficult for the verifier to verify the possible risk of impersonation or tampering of the data owner.
Based on the above, the embodiments of the present invention provide an access control system, a method, an apparatus, and a computer readable storage medium, where the access control system includes a service request apparatus, a service providing apparatus, and a location providing apparatus, and a data owner sends a service request and an authorization query identifier to the service providing apparatus through the service request apparatus; the service providing device is connected with the service request device to receive the service request and the authorized inquiry identification, generate constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification, and output the constraint conditions to the position providing device; the position providing device is connected with the service providing device to receive the constraint condition, inquire the position data of the service request device according to the constraint condition, perform zero knowledge proof on the constraint condition and the position data to obtain a provable result, and output the provable result to the service providing device; the service providing device is further used for verifying the provable result to obtain a verification result, and providing the service based on the position for the service request device according to the verification result. Compared with the related art, the access control system of the embodiment of the invention has the advantages that the data owner authorizes the service providing equipment through the service request equipment and performs zero knowledge proof on constraint conditions and position data, so that the possible counterfeit or falsification risks of the data owner can be avoided, and the rights and interests of the service provider providing the position-based service are effectively ensured; and new trusted equipment is not required to be introduced, the result can be proved to not comprise the position data of the service request equipment, the personal privacy data can be protected and the reliability of the calculation integrity can be ensured based on the existing access network, and the cost is further reduced.
Embodiments of the present invention will be further described below with reference to the accompanying drawings.
An embodiment of a first aspect of the present invention specifically provides an access control system, referring to fig. 1, fig. 1 is a schematic structural diagram of an access control system provided in one embodiment of the present invention, where the access control system includes a service request device, a service providing device, and a location providing device, where the service request device is configured to send a service request and an authorization query identifier; the service providing device is connected with the service request device and is used for receiving the service request and the authorized inquiry identification, generating constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification and outputting the constraint conditions; the position providing device is connected with the service providing device and is used for receiving the constraint condition, obtaining a provable result based on zero knowledge proof according to the constraint condition and outputting the provable result to the service providing device; the service providing device is further used for verifying the provable result to obtain a verification result, and judging whether to provide the service based on the position to the service request device according to the verification result, wherein the provable result does not include the position data of the service request device.
In the access control system based on the position information of the existing access network condition, the constraint condition and the position data are subjected to zero knowledge proof to verify whether the data owner meets the requirements of a service provider for providing the position service, so that the trust problem of the calculation integrity of the independent data platform is further realized; the provable result obtained through zero knowledge proof replaces the traditional mode that the personal position information must be displayed, so that personal privacy data are protected; the data owner sends the service request to the service providing device through the service request device and authorizes the service request, the provable result is calculated without depending on the calculation capability of the personal terminal device, the possible counterfeiting or falsification risks of the data owner are prevented, and the rights and interests of the service provider side providing the location-based service are effectively ensured.
The identification includes identification information of the data owner and location information that the data owner needs to query. The identification information of the data owner can be a mobile phone number, an employee ID of an employee, or other identification information capable of identifying the data owner, which is not limited in the embodiment of the present invention.
It should be noted that, the specific flow of obtaining the provable result is as follows: and the position providing device queries the position data of the service request device according to the constraint condition, and performs zero knowledge proof on the constraint condition and the position data to obtain a provable result.
Specifically, the data owner sends a service request to the service providing device, namely the service provider, through the service request device and authorizes the service providing device, and the service providing device is allowed to use the identity identifier of the data owner to inquire the position information which the data owner needs to inquire; the service providing device inquires the identification information of the data owner and the position information to be inquired according to the service request and the authorization sent by the data owner through the service request device, forms constraint conditions of zero knowledge proof according to the identification information and the position information, and sends the constraint conditions to the position providing device; the position providing device queries the position providing device according to the constraint condition to obtain position data corresponding to the data owner, performs zero knowledge proof on the constraint condition and the position data to obtain a provable result, and outputs the provable result to the service providing device; the service providing equipment performs verification processing on the provable result to obtain a verification result, wherein the verification result comprises the provable result of the sampling this time if the provable result is verified according to constraint conditions and is obtained by zero knowledge proof calculation, otherwise, the provable result of the sampling this time is not approved or the provable result is obtained again, and the verification processing is performed again until the provable result of the sampling this time; if the current provable result is collected, the service providing device provides the position-based service for the data owner, and if the current provable result is not approved, the service providing device refuses to provide the position-based service for the data owner.
It should be noted that the provable result does not include the personal position data of the data owner. The location data is stored in a homomorphic encryption manner, and the location data may be plaintext storage or ciphertext storage, which is not limited in this embodiment of the present invention.
Referring to fig. 1, it may be understood that the location providing device includes a ZKP prover calling module and a data source module, where the ZKP prover calling module is connected to the service providing device and the data source module, respectively, and the ZKP prover calling module is configured to query from the data source module according to constraint conditions to obtain location data of the service requesting device, perform zero knowledge proof on the constraint conditions and the location data to obtain a provable result, and output the provable result to the service providing device.
The position providing device comprises a data processing device and a data source, wherein the data processing device is provided with a ZKP prover calling module, the data source is provided with a data source module, and the service providing device sends constraint conditions to the data processing device in the position providing device; the data processing device queries and acquires position data corresponding to the data owner from a data source module in the data source according to the constraint condition, and the ZKP prover calling module performs zero knowledge proof on the constraint condition and the position data to obtain a provable result and outputs the provable result to the service providing device.
The ZKP is an abbreviation of Zero Knowledge Proof, and is translated into zero knowledge proof. Zero knowledge proof refers to the ability of a prover to trust that a certain assertion is correct without providing any useful information to the verifier. Zero knowledge proof is essentially a protocol involving two or more parties, i.e., a series of steps that two or more parties need to take to complete a task. The prover proves to the verifier and believes itself to know or own a certain message, but the proving process cannot reveal any information about the proved message to the verifier.
Referring to fig. 1, it may be understood that the service providing apparatus includes a ZKP prover distribution module, a ZKP verifier calling module, and a service module, where the service module is connected to the service requesting apparatus, the ZKP prover distribution module, and the ZKP verifier calling module, respectively, and the ZKP prover distribution module is connected to an input end of the ZKP prover calling module, and the ZKP verifier calling module is connected to an output end of the ZKP prover calling module; the ZKP prover distribution module is used for generating constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier and outputting the constraint conditions to the position providing equipment; the ZKP verifier calling module is used for receiving the provable result, verifying the provable result to obtain a verification result, and sending the verification result to the service module; and the service module is used for judging whether to provide the service based on the position for the service request equipment according to the verification result.
The ZKP prover distribution module forms constraint conditions of zero knowledge proof according to the identification information of the data owner and the position information to be queried, and outputs the constraint conditions to the ZKP prover calling module, so that the ZKP prover calling module obtains the position data corresponding to the data owner from the data source module according to the constraint conditions, performs zero knowledge proof on the constraint conditions and the position data to obtain a provable result, and outputs the provable result to the ZKP verifier calling module; the ZKP verifier calling module calls a verification function according to the provable result to verify the provable result to obtain a verification result, wherein the verification result comprises: if the provable result is verified and calculated according to constraint conditions and by zero knowledge proof, the provable result is acquired, otherwise, the provable result is not approved or the provable result is acquired again and verification processing is carried out again until the provable result is acquired; and the ZKP verifier invoking module sends the obtained verification result to the service module, and the service module decides whether to provide the service request equipment with the service based on the position according to the verification result, specifically, if the current provable result is acquired, the service module provides the service based on the position for the data owner, and if the current provable result is not authorized, the service module refuses to provide the service based on the position for the data owner.
It should be noted that, the access control method may be applied to access based on a cellular network user's journey, may also be applied to a permission evaluation system based on a user's access location, and may also be applied to other embodiments, where the above two embodiments are only preferred embodiments of the technical solution of the present invention, and are not intended to limit the scope of protection of the present invention. Any modification, equivalent, replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
For example, referring to fig. 2, if the mobile phone user passes the epidemic situation in the last 14 days and in the high-risk city, the specific flow is as follows: firstly, a user of UE applies for entering a public service place in a code scanning mode and the like and authorizes the public service place providing service to use own mobile phone number to carry out historical position inquiry; the public service place generates constraint conditions of zero knowledge proof according to the acquired mobile phone number, the time period and the position space list of the service to be queried, and sends the constraint conditions to a data processing platform of an operator; the data processing platform of the operator performs zero knowledge proof according to the received constraint condition and the user history position track information stored by the cellular network platform of the operator, and returns a provable result to the public service place, wherein the provable result does not comprise the personal position data of the UE user, only comprises the result whether the user meets the condition that the user is in the epidemic situation in the last 14 days or in the high-risk city or not, and can verify that the information does not comprise the personal position data of the UE user; the public service place verifies the provable result, if the provable result is verified to be calculated strictly according to constraint conditions, the provable result is collected, otherwise, the data processing platform is required to recalculate or the provable result is considered to be false; finally, the public service place decides whether to provide the location-based service to the UE user according to the verification result.
For example, referring to fig. 3, in a security authorization scenario, an employee needs to log in to an office system, evaluate risk according to employee location (such as home or company site) and grant rights of different levels, and the specific procedures are as follows: firstly, a user who needs to access the network requests access service and authorizes the access system to use own user ID, wherein the access system may not be self-owned by the network provider, such as a general security service provided by an independent third party An Quanshang in a cloud platform form, so that specific location information of staff cannot be exposed to the access system; the access control system generates constraint conditions of zero knowledge proof according to user ID (such as employee ID), time period (such as current access time) and position list (such as position of all office parks of a company), and sends the constraint conditions to a data processing platform of a network provider (such as a company IT system), namely a ZKP prover calling module; the data processing platform of the network provider, namely the ZKP prover calling module, carries out zero-knowledge proof according to the received constraint condition and user network access point information (such as IP and the like) stored in the platform of the network provider to obtain a provable result, and returns the provable result to the access system, wherein the provable result does not contain specific access location information of staff, and the verifiable information does not contain the specific access location information of the staff; the access system verifies the provable result, if the provable result is verified to be calculated strictly according to constraint conditions, the provable result is collected, otherwise, the data processing platform is required to recalculate or the provable result is considered to be false; and finally, the access system evaluates the risk level of the access user according to the verification result, and further decides to grant the access user with the permission of the corresponding level.
It should be noted that, UE is an abbreviation of User Equipment and is translated into User Equipment; IT is an abbreviation of Information Technology, translated into information technology; the ID is Identity Document abbreviation, translated into an identification number.
In a second aspect, an embodiment of the present invention further provides an access control method, applied to a service request device, referring to fig. 1 and fig. 5, where the method includes, but is not limited to, the following steps:
step S100, sending a service request and an authorized inquiry identifier to the service providing equipment so that the service providing equipment generates constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier and outputs the constraint conditions to the position providing equipment;
step S200, receiving a location-based service from a service providing device, where the location-based service is sent after the service device verifies a provable result provided from the location providing device, and the provable result is obtained by the location providing device based on zero knowledge proof according to a constraint condition. Wherein the provable result does not include location data of the service requesting device.
It should be noted that, the access control method provided in the second aspect is specifically applied to a service request device of an access control system, where the access control system further includes a service providing device and a location providing device, and the service providing device is connected to the service request device and the location providing device respectively.
Specifically, the position providing device comprises a ZKP prover calling module and a data source module, wherein the ZKP prover calling module is respectively connected with the output ends of the service providing device and the data source module; the service providing device comprises a ZKP prover distribution module, a ZKP verifier calling module and a service module, wherein the service module is respectively connected with the service request device, the input end of the ZKP prover distribution module and the output end of the ZKP verifier calling module, the output end of the ZKP prover distribution module is connected with the input end of the ZKP prover calling module, and the input end of the ZKP verifier calling module is connected with the output end of the ZKP prover calling module.
It should be noted that, referring to fig. 2, the data owner sends a service request to the service providing device through the service request device and performs authorization, so that the ZKP prover distribution module forms a constraint condition of zero knowledge proof according to the identification information of the data owner and the position information to be queried, and outputs the constraint condition to the ZKP prover calling module, so that the ZKP prover calling module performs zero knowledge proof on the constraint condition and the position data to obtain a provable result and outputs the provable result to the ZKP verifier calling module, the ZKP verifier calling module calls a verification function according to the provable result to perform verification processing on the provable result to obtain a verification result, and the ZKP verifier calling module sends the obtained verification result to the service module, and the service module decides whether to provide a position-based service to the service request device according to the verification result, specifically, if the provable result is not approved, the service module refuses to provide the position-based service to the data owner.
It should be noted that, the data owner sends the service request to the service providing device through the service request device and performs authorization, and the provable result is calculated without depending on the computing capability of the personal terminal device, so that the possible risk of counterfeiting or tampering of the data owner is prevented, and the rights and interests of the service provider providing the location-based service are effectively ensured. Compared with the related art, the access control method of the embodiment of the invention has the advantages that the data owner authorizes the service providing equipment through the service request equipment and performs zero knowledge proof on the constraint condition and the position data, so that the possible counterfeit or falsification risk of the data owner can be avoided, and the rights and interests of the service provider providing the position-based service can be effectively ensured; and new trusted equipment is not required to be introduced, personal privacy data can be protected and the credibility of calculation integrity is ensured based on the existing access network, so that the cost is reduced.
In a third aspect, an embodiment of the present invention further provides an access control method, which is applied to a service providing device of an access control system, and referring to fig. 1 and 6, the access control system further includes a service request device and a location providing device, where the service providing device is connected to the service request device and the location providing device, respectively;
An access control method including, but not limited to, the steps of:
step S300, receiving a service request and an authorized inquiry identifier of a service request device, and obtaining constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier;
step S400, transmitting constraint conditions to the position providing equipment so that the position providing equipment obtains a provable result based on zero knowledge proof according to the constraint conditions; wherein the provable result does not include location data of the service requesting device;
step S500, receiving the provable result sent by the position providing device, carrying out verification processing on the provable result to obtain a verification result, and judging whether the service request device provides the position-based service according to the verification result.
In step S600, if the determination result is yes, a location-based service is transmitted.
It should be noted that the access control method provided by the embodiment of the third aspect is specifically applied to a service providing device of an access control system, where the access control system further includes a service request device and a location providing device, and the service providing device is connected to the service request device and the location providing device respectively.
The position providing device comprises a data processing device and a data source, wherein a ZKP prover calling module is arranged in the data processing device, a data source module is arranged in the data source, the ZKP prover calling module is respectively connected with the service providing device and the data source module, and the service providing device sends constraint conditions to the data processing device in the position providing device; the data processing device queries and acquires position data corresponding to the data owner from a data source module in the data source according to the constraint condition, and the ZKP prover calling module performs zero knowledge proof on the constraint condition and the position data to obtain a provable result and outputs the provable result to the service providing device.
It should be noted that, compared with the related art, the access control method of the embodiment of the present invention authorizes the service providing device through the service requesting device by the data owner, and performs zero knowledge proof on the constraint condition and the location data, so that possible risk of impersonation or tampering of the data owner can be avoided, and the rights and interests of the service provider providing the location-based service can be effectively ensured; and new trusted equipment is not required to be introduced, personal privacy data can be protected and the credibility of calculation integrity is ensured based on the existing access network, so that the cost is reduced.
It should be noted that, referring to fig. 2, the data owner sends a service request to the service providing device through the service requesting device and performs authorization, so that the service providing device forms a constraint condition of zero knowledge proof according to the identification information of the data owner and the location information to be queried, and outputs the constraint condition to the ZKP prover calling module through the service providing device, so that the ZKP prover calling module performs zero knowledge proof on the constraint condition and the location data to obtain a provable result and outputs the provable result back to the service providing device, the service providing device calls a verification function according to the provable result to perform verification processing on the provable result to obtain a verification result, and the service providing device decides whether to provide a location-based service to the service requesting device according to the verification result, specifically: if the current provable result is collected, the service module provides the position-based service for the data owner, and if the current provable result is not approved, the service module refuses to provide the position-based service for the data owner.
By way of example, the access control method is applied to identifying whether the mobile phone user has arrived in epidemic situation and high-risk city in the last 14 days, the result can be proved to be in epidemic situation and high-risk city, or the result can be proved to be in epidemic situation and high-risk city.
Referring to fig. 2 and 7, it may be understood that the service providing apparatus includes a ZKP prover distribution module, a ZKP verifier call module, and a service module, where the service module is connected to the service requesting apparatus, the ZKP prover distribution module, and the ZKP verifier call module, and the ZKP prover distribution module is connected to an input of the ZKP prover call module, and the ZKP prover call module is connected to an output of the ZKP verifier call module; obtaining constraint conditions of zero knowledge proof according to service request and authorization query identification in step S300, and sending constraint conditions to the position providing device in step S400, including but not limited to the following steps:
step S410, the service request and the authorized query identifier are sent to the ZKP prover distribution module, so that the ZKP prover distribution module generates constraint conditions of zero knowledge proof according to the service request and the authorized query identifier, and sends the constraint conditions to the location providing device.
Specifically, the ZKP prover distribution module forms constraint conditions of zero knowledge proof according to the identification information of the data owner and the position information to be queried, and outputs the constraint conditions to the ZKP prover calling module, so that the ZKP prover calling module performs zero knowledge proof on the constraint conditions and the position data to obtain a provable result and outputs the provable result to the ZKP verifier calling module.
Referring to fig. 2 and 8, it may be understood that the verification process is performed on the provable result in step S500 to obtain a verification result, including, but not limited to, the following steps:
and step S510, sending the provable result to the ZKP verifier calling module so that the ZKP verifier calling module can carry out verification processing on the provable result to obtain a verification result.
It should be noted that, the provable result is output to the ZKP verifier calling module. The ZKP verifier calling module calls a verification function according to the provable result to verify the provable result to obtain a verification result, the ZKP verifier calling module sends the obtained verification result to the service module, the service module determines whether to provide location-based service for the service request equipment according to the verification result, specifically, if the provable result is adopted, the service module provides location-based service for the data owner, if the provable result is not approved, the service module refuses to provide location-based service for the data owner
Referring to fig. 9, it can be understood that determining whether to provide the location-based service to the service requesting device according to the verification result in step S500 includes, but is not limited to, the following steps:
step S520, the verification result is sent to the service module, so that the service module can judge whether to provide the service based on the position to the service request device according to the verification result.
It should be noted that, if the provable result is verified and calculated according to the constraint condition and by zero knowledge proof, the provable result is acquired, otherwise, the provable result is not approved or the provable result is acquired again, and the verification process is performed again until the provable result is acquired; if the current provable result is collected, the service module provides the position-based service for the data owner, and if the current provable result is not approved, the service module refuses to provide the position-based service for the data owner.
Referring to fig. 10, it can be understood that the verification process is performed on the provable result in step S500 to obtain a verification result, including, but not limited to, the following steps:
step S530, verifying the provable result, if the provable result is obtained according to zero knowledge proof under constraint conditions, determining that the verified result is a trusted provable result;
Step S540, if the provable result is not obtained according to zero knowledge proof under the constraint condition, determining that the verification result is a refused credit proving result.
It should be noted that, the ZKP verifier call module calls the verification function according to the provable result to perform verification processing on the provable result, so as to obtain a verification result, where if the provable result is not obtained according to zero knowledge proof under constraint conditions, it is determined that the verification result is a trusted provable result, or the provable result is obtained again and verification processing is performed again until it is determined that the verification result is the trusted provable result.
Referring to fig. 11, it can be understood that determining whether to provide the location-based service to the service requesting device according to the verification result in step S500 includes, but is not limited to, the following steps:
step S550, if the verification result is a trusted proving result, providing a position-based service for the service request equipment;
step S560, if the verification result is the refusal to adopt the credit proving result, refusing to provide the service based on the position to the service request equipment.
It should be noted that, the service module decides whether to provide the service based on the location for the data owner according to the verification result obtained by the ZKP verifier calling module.
Specifically, the data owner sends a service request to a service providing device, namely a service provider, through the service request device and authorizes the service providing device, and allows the service providing device to use the identity identifier of the data owner to inquire the position information which the data owner needs to inquire, wherein the position information comprises position space information and time information; the service providing device inquires the identification information of the data owner and the position information to be inquired according to the service request and the authorization sent by the data owner, forms constraint conditions of zero knowledge proof according to the identification information and the position information, and sends the constraint conditions to a ZKP prover calling module in the position providing device through a ZKP prover distribution module; the ZKP prover calling module inquires and acquires position data corresponding to a data owner from a data source module in a data source according to constraint conditions, performs zero knowledge proof on the constraint conditions and the position data to obtain a provable result, and then outputs the provable result to the ZKP verifier calling module; and then the ZKP verifier invokes the module to verify the provable result and obtain a verification result, if the verification result is the trusted provable result, the service module provides the position-based service for the data owner, and if the verification result is the trusted provable result refused, the service module refuses to provide the position-based service for the data owner.
In a fourth aspect, an embodiment of the present invention further provides an access control method, which is applied to a service providing device of an access control system, and referring to fig. 1 and 12, the access control system further includes a service request device and a service providing device, where the service providing device is connected to the service request device and the location providing device, respectively;
an access control method including, but not limited to, the steps of:
step S700, obtaining constraint conditions of zero knowledge proof from the service providing equipment, and obtaining a provable result based on the zero knowledge proof according to the constraint conditions; wherein the provable result does not include location data of the service requesting device;
step S800, outputting the provable result to the service providing device, so that the service providing device can perform verification processing on the provable result to generate a verification result, and judging whether to provide the service based on the position to the service requesting device according to the verification result.
It should be noted that, the access control method provided in the fourth aspect is specifically applied to a location providing device of an access control system, where the access control system further includes a service request device and a service providing device, and the service providing device is connected to the service request device and the location providing device respectively.
Before step S700, the service requesting device sends a service request and an authorized query identifier to the service providing device, so that the service providing device queries the identification information of the data owner and the location information to be queried by the data owner according to the service request and the authorized query, generates constraint conditions of zero knowledge proof according to the identification information and the location information, and sends the constraint conditions to the location providing device.
Illustratively, the data owner sends a service request to a service providing device, namely, a service provider through a service request device and authorizes the service providing device, and allows the service providing device to query the location information which the data owner needs to query by using the identity identifier of the data owner, wherein the location information comprises location space information and time information; the service providing device inquires the identification information of the data owner and the position information to be inquired according to the service request and the authorization sent by the data owner through the service request device, forms constraint conditions of zero knowledge proof according to the identification information and the position information, and sends the constraint conditions to the position providing device; the position providing device queries the position providing device according to the constraint condition to obtain position data corresponding to the data owner, performs zero knowledge proof on the constraint condition and the position data to obtain a provable result, and outputs the provable result to the service providing device; the service providing equipment performs verification processing on the provable result to obtain a verification result, wherein the verification result comprises the provable result of the sampling this time if the provable result is verified according to constraint conditions and is obtained by zero knowledge proof calculation, otherwise, the provable result of the sampling this time is not approved or the provable result is obtained again, and the verification processing is performed again until the provable result of the sampling this time; if the current provable result is collected, the service providing device provides the position-based service for the data owner, and if the current provable result is not approved, the service providing device refuses to provide the position-based service for the data owner.
Referring to fig. 2 and 13, it can be understood that the location providing device includes a ZKP prover calling module and a data source module, and the ZKP prover calling module is connected with the service providing device and the data source module, respectively; querying for location data of the service requesting device according to the constraint, and obtaining a provable result based on zero knowledge proof according to the constraint in step S700, including but not limited to the following steps:
and step S710, the constraint condition is sent to a ZKP prover calling module, so that the ZKP prover calling module queries the position data of the service request equipment from the data source module according to the constraint condition and performs zero knowledge proof on the constraint condition and the position data to obtain a provable result.
The service providing device comprises a ZKP prover distribution module, a ZKP verifier calling module and a service module, wherein the service module is respectively connected with the service request device, the ZKP prover distribution module and the ZKP verifier calling module, the ZKP prover distribution module is connected with the input end of the ZKP prover calling module, and the ZKP verifier calling module is connected with the output end of the ZKP prover calling module.
The ZKP prover distribution module forms constraint conditions of zero knowledge proof according to the identification information of the data owner and the position information to be queried, and outputs the constraint conditions to the ZKP prover calling module, so that the ZKP prover calling module obtains the position data corresponding to the data owner from the data source module according to the constraint conditions, performs zero knowledge proof on the constraint conditions and the position data to obtain a provable result, and outputs the provable result to the ZKP verifier calling module; the ZKP verifier calling module calls a verification function according to the provable result to verify the provable result to obtain a verification result, wherein the verification result comprises: if the provable result is verified to be obtained according to zero knowledge proof under the constraint condition, determining that the verification result is the sampling provable result, otherwise, determining that the verification result is the sampling provable result refused or re-acquiring the provable result and performing verification again until the sampling provable result is obtained; and the ZKP verifier invoking module sends the obtained verification result to the service module, the service module decides whether to provide the service request equipment with the service based on the position according to the verification result, specifically, if the verification result is a trusted and verifiable result, the service module provides the service request equipment with the service based on the position for the data owner, and if the verification result is a trusted and verifiable result, the service module refuses to provide the service request equipment with the service based on the position.
In some embodiments, referring to fig. 2, the access control system is applied to access based on cellular network user journey, and an exemplary procedure is that whether a mobile phone user passes an epidemic situation in the last 14 days or not, and in a high-risk city, the specific procedure is as follows: firstly, a user of UE applies for entering a public service place in a code scanning mode and the like and authorizes the public service place providing service to use own mobile phone number to carry out historical position inquiry; the public service place generates constraint conditions of zero knowledge proof according to the acquired mobile phone number, the time period and the position space list of the service to be queried, and sends the constraint conditions to a data processing platform of an operator; the data processing platform of the operator performs zero knowledge proof according to the received constraint condition and the user history position track information stored by the cellular network platform of the operator, and returns a provable result to the public service place, wherein the provable result does not comprise personal position data of the UE user, only comprises whether the result of whether the latest 14 days to epidemic situation is met or not in a high-risk city, and verifiable information, and does not comprise the personal position data of the UE user; the public service place verifies the provable result, if the provable result is verified to be calculated strictly according to constraint conditions, the provable result is collected, otherwise, the data processing platform is required to recalculate or the provable result is considered to be false; finally, the public service place decides whether to provide the location-based service to the UE user according to the verification result.
In some embodiments, referring to fig. 3, the access control system is applied to a permission evaluation system based on a user access location, and an employee logs in to an office system in an exemplary security authorization scenario, where risk needs to be evaluated according to the employee location (such as a home or a company site) and permissions of different levels need to be granted, which specifically includes: firstly, a user who needs to access the network requests access service and authorizes the access system to use own user ID, wherein the access system may not be self-owned by the network provider, such as a general security service provided by an independent third party An Quanshang in a cloud platform form, so that specific location information of staff cannot be exposed to the access system; the access control system generates constraint conditions of zero knowledge proof according to user ID (such as employee ID), time period (such as current access time) and position list (such as position of all office parks of a company), and sends the constraint conditions to a data processing platform of a network provider (such as a company IT system), namely a ZKP prover calling module; the data processing platform of the network provider, namely the ZKP prover calling module, carries out zero-knowledge proof according to the received constraint condition and user network access point information (such as IP and the like) stored in the platform of the network provider to obtain a provable result, and returns the provable result to the access system, wherein the provable result does not contain specific access location information of staff, and the verifiable information does not contain the specific access location information of the staff; the access system verifies the provable result, if the provable result is verified to be calculated strictly according to constraint conditions, the provable result is collected, otherwise, the data processing platform is required to recalculate or the provable result is considered to be false; and finally, the access system evaluates the risk level of the access user according to the verification result, and further decides to grant the access user with the permission of the corresponding level.
It will be appreciated that the location data is stored using homomorphic encryption.
It should be noted that, the location data of the service request device is obtained by inquiring from the data source module according to the constraint condition and stored in a homomorphic encryption mode, so as to better protect the location data. The location data may be plaintext or ciphertext, and embodiments of the present invention are not limited in this respect.
In addition, an embodiment of the fifth aspect of the present invention further provides an access control apparatus, including: memory, a processor, and a computer program stored on the memory and executable on the processor.
The processor and the memory may be connected by a bus or other means.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software programs and instructions required to implement the access control method of the second aspect embodiment described above are stored in memory and when executed by a processor, perform the access control system of the embodiment described above, for example, performing the method steps S100 to S200 in fig. 5 described above.
The non-transitory software program and instructions required to implement the access control method of the above-described third aspect embodiment are stored in the memory, and when executed by the processor, the access control method in the above-described embodiments is performed, for example, the method steps S300 to S600 in fig. 6, the method step S410 in fig. 7, the method step S510 in fig. 8, the method step S520 in fig. 9, the method steps S530 to S540 in fig. 10, and the method steps S550 to S560 in fig. 11 described above are performed.
The non-transitory software program and instructions required to implement the access control method of the fourth aspect embodiment described above are stored in the memory, and when executed by the processor, the access control method in the above embodiment is performed, for example, the method steps S700 to S900 in fig. 12 described above, and the method step S910 in fig. 13 are performed.
The above described embodiments of the apparatus are only illustrative, wherein the units described as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, an embodiment of the present invention provides a computer-readable storage medium storing computer-executable instructions that are executed by a processor or controller, for example, by one of the processors in the above-described device embodiments, which may cause the processor to perform the access control method in the above-described embodiment, for example, to perform the method steps S100 to S200 in fig. 5, the method steps S300 to S600 in fig. 6, the method step S410 in fig. 7, the method step S510 in fig. 8, the method step S520 in fig. 9, the method steps S530 to S540 in fig. 10, the method steps S550 to S560 in fig. 11, the method steps S700 to S900 in fig. 12, and the method step S910 in fig. 13 described above.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the above embodiment, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present invention, and these equivalent modifications and substitutions are intended to be included in the scope of the present invention as defined in the appended claims.

Claims (15)

1. An access control system, comprising:
the service request equipment is used for sending a service request and an authorization inquiry identifier;
the service providing device is connected with the service request device and is used for receiving the service request and the authorized inquiry identification, generating constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification and outputting the constraint conditions;
the position providing device is connected with the service providing device and is used for receiving the constraint condition, obtaining a provable result based on zero knowledge proof according to the constraint condition and outputting the provable result to the service providing device; the service providing device is further configured to perform verification processing on the provable result to obtain a verification result, and determine whether to provide a location-based service for the service request device according to the verification result, where the provable result does not include location data of the service request device.
2. The system of claim 1, wherein the location providing device comprises a ZKP prover calling module and a data source module, the ZKP prover calling module is respectively connected with the service providing device and the data source module, the ZKP prover calling module is used for inquiring the location data of the service requesting device from the data source module according to the constraint condition, performing zero knowledge proof on the constraint condition and the location data to obtain the provable result, and outputting the provable result to the service providing device.
3. The system of claim 1, wherein the service providing device comprises a ZKP prover distribution module, a ZKP verifier invocation module, and a service module, the service module being respectively connected to the service requesting device, the ZKP prover distribution module, the ZKP verifier invocation module, the ZKP prover distribution module being connected to an input of the ZKP prover invocation module, the ZKP verifier invocation module being connected to an output of the ZKP prover invocation module; the ZKP prover distribution module is used for generating constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identification, and outputting the constraint conditions to the position providing equipment; the ZKP verifier calling module is used for receiving the provable result, verifying the provable result to obtain a verification result, and sending the verification result to the service module; and the service module is used for judging whether to provide the service based on the position for the service request equipment according to the verification result.
4. An access control method, applied to a service request device, comprising:
sending a service request and an authorized inquiry identifier to a service providing device, so that the service providing device generates constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier and outputs the constraint conditions to a position providing device;
and receiving a location-based service from the service providing device, wherein the location-based service is transmitted after the service device verifies a provable result provided by the location providing device, the provable result being obtained by the location providing device according to the constraint condition based on zero knowledge proof, and the provable result does not comprise location data of the service requesting device.
5. An access control method applied to a service providing apparatus, the method comprising:
receiving a service request and an authorized inquiry identifier of a service request device, and obtaining constraint conditions of zero knowledge proof according to the service request and the authorized inquiry identifier;
transmitting the constraint condition to a position providing device so that the position providing device obtains a provable result based on zero knowledge proof according to the constraint condition, wherein the provable result does not comprise position data of the service request device;
Receiving the provable result sent by the position providing device, verifying the provable result to obtain a verification result, and judging whether to provide a position-based service for the service request device according to the verification result;
and if the judgment result is yes, sending the service based on the position.
6. The method of claim 5, wherein the service providing device comprises a ZKP prover distribution module, a ZKP verifier invocation module, and a service module, the service module being respectively connected to the service requesting device, the ZKP prover distribution module, the ZKP verifier invocation module, the ZKP prover distribution module being connected to an input of the ZKP prover invocation module, the ZKP prover invocation module being connected to an output of the ZKP verifier invocation module; and obtaining constraint conditions of zero knowledge proof according to the service request and the authorized query identifier, and sending the constraint conditions to a position providing device, wherein the constraint conditions comprise:
and sending the service request and the authorized query identifier to the ZKP prover distribution module, so that the ZKP prover distribution module generates constraint conditions of zero knowledge proof according to the service request and the authorized query identifier, and sends the constraint conditions to a position providing device.
7. The method of claim 6, wherein the verifying the provable result to obtain a verified result comprises:
and sending the provable result to the ZKP verifier calling module so that the ZKP verifier calling module performs verification processing on the provable result to obtain a verification result.
8. The method of claim 6, wherein the determining whether to provide the location-based service to the service-requesting device based on the verification result comprises:
and sending the verification result to the service module, so that the service module judges whether to provide the service based on the position for the service request equipment according to the verification result.
9. The method of claim 5, wherein validating the provable results to obtain validated results comprises:
performing verification processing on the provable result, and if the provable result is obtained according to zero knowledge proof under the constraint condition, determining that the verification result is the provable result by adopting a message;
and if the provable result is not obtained according to zero knowledge proof under the constraint condition, determining that the verification result is the provable result refused to adopt the message.
10. The method of claim 9, wherein the determining whether to provide the location-based service to the service-requesting device based on the verification result comprises:
if the verification result is the provable result, providing a location-based service for the service request device;
and if the verification result is the provable result refused to be adopted, refusing to provide the service based on the position for the service request equipment.
11. An access control method applied to a location providing device, the method comprising:
obtaining constraint conditions of zero knowledge proof from service providing equipment, and obtaining a provable result based on the zero knowledge proof according to the constraint conditions, wherein the provable result does not comprise position data of the service requesting equipment;
and outputting the provable result to the service providing device so that the service providing device can carry out verification processing on the provable result to generate a verification result, and judging whether to provide the service request device with the service based on the position according to the verification result.
12. The method of claim 11, wherein the location providing device comprises a ZKP prover invocation module and a data source module, the ZKP prover invocation module being respectively connected to the service providing device, the data source module; the obtaining the provable result based on zero knowledge proving according to the constraint condition comprises the following steps:
And sending the constraint condition to the ZKP prover calling module, so that the ZKP prover calling module queries the data source module according to the constraint condition to obtain the position data of the service request equipment, and performs zero knowledge proof on the constraint condition and the position data to obtain a provable result.
13. A method according to any one of claims 11 or 12, wherein the location data is stored using homomorphic encryption.
14. An access control device, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing when executing the computer program:
the access control method of claim 4;
or,
the access control method according to any one of claims 5 to 10;
or,
the access control method according to any one of claims 11 to 13.
15. A computer-readable storage medium storing computer-executable instructions for:
performing the access control method of claim 4;
or,
performing the access control method of any one of claims 5 to 10;
Or,
the access control method of any one of claims 11 to 13 being performed.
CN202210875971.5A 2022-07-25 2022-07-25 Access control system, method, apparatus, and computer-readable storage medium Pending CN117499059A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210875971.5A CN117499059A (en) 2022-07-25 2022-07-25 Access control system, method, apparatus, and computer-readable storage medium
PCT/CN2023/106989 WO2024022110A1 (en) 2022-07-25 2023-07-12 Access control system and method, device and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210875971.5A CN117499059A (en) 2022-07-25 2022-07-25 Access control system, method, apparatus, and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN117499059A true CN117499059A (en) 2024-02-02

Family

ID=89674958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210875971.5A Pending CN117499059A (en) 2022-07-25 2022-07-25 Access control system, method, apparatus, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN117499059A (en)
WO (1) WO2024022110A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009014735A2 (en) * 2007-07-23 2009-01-29 Motivepath, Inc. System, method and apparatus for secure multiparty located based services
CN111211908B (en) * 2019-12-25 2023-03-03 深圳供电局有限公司 Access control method, system, computer device and storage medium
US11770376B2 (en) * 2020-01-15 2023-09-26 IDENTOS Inc. Computer-implemented systems for distributed authorization and federated privacy exchange
CN113515782A (en) * 2021-06-18 2021-10-19 北京工业大学 Personal track proving method based on block chain and zero-knowledge proving

Also Published As

Publication number Publication date
WO2024022110A1 (en) 2024-02-01

Similar Documents

Publication Publication Date Title
US6377810B1 (en) Method of operation of mobile wireless communication system with location information
CN104106277A (en) Enabling secure access to discovered location server for mobile device
US20100255813A1 (en) Security in a telecommunications network
CN111246474B (en) Base station authentication method and device
CN112565294B (en) Identity authentication method based on block chain electronic signature
US11336459B2 (en) Method for granting access to a service provided by a connected device
JP2000040064A (en) Certifying system of network access
CN115580488A (en) Vehicle-mounted network message authentication method based on block chain and physical unclonable function
JP7454707B2 (en) Methods for securing communications
EP1672869B1 (en) Sharing of authenticated data
CN117499059A (en) Access control system, method, apparatus, and computer-readable storage medium
CN112506267B (en) RTC calibration method, vehicle-mounted terminal, user and storage medium
CN106576245B (en) User equipment proximity request authentication
CN114978741B (en) Inter-system authentication method and system
CN111818482B (en) Online certificate status acquisition method and system for V2X and communication method
US20240064513A1 (en) Method and device for providing an authorization to access an interactive good
US20100162366A1 (en) Apparatus and method of protecting private information in distributed network
KR101395835B1 (en) Terminal device and authentication manageent apparatus, control method thereof
CN113840223B (en) Position positioning method, device, terminal and network equipment
CN113556365B (en) Authentication result data transmission system, method and device
US20230291549A1 (en) Securely sharing secret information through an unsecure channel
KR101117758B1 (en) A Certificating Method for Mobile-Phone With the Certificate Of Apparatus
KR20070093274A (en) System and method for emergency service using supl
CN115361684A (en) Access method and device for sharing Wifi bidirectional authentication by using block chain
CN115495255A (en) Service interface safe calling method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination