KR20190106551A - Apparatus for perfomming access contorl based on blockchain and method thereof - Google Patents

Abstract

The present invention provides a blockchain-based access control device. According to the present invention, the access control device comprises: a processor; a network interface; a memory; and at least one program loaded in the memory and executed by the processor. The at least one program may include instructions, which allows to perform operations of: generating a first data piece and a second data piece based on controlled object data given an access restriction period; and writing the first data piece on a first blockchain and processing the second data piece to be written on the first blockchain after the access restriction period has passed.

Description

Blockchain-based access control device and its operation method {APPARATUS FOR PERFOMMING ACCESS CONTORL BASED ON BLOCKCHAIN AND METHOD THEREOF}

The present invention relates to a blockchain-based access control device and a method of operating the same. More specifically, the present invention relates to an apparatus for controlling access to the control target data to a plurality of users while ensuring the integrity of the control target data using a blockchain, and a method of operating the apparatus.

Blockchain is a data management technology in which continuously increasing data is recorded in a specific unit of blocks, and each node constituting a peer-to-peer network manages the block in a chain-type data structure. Or it means the data itself consisting of the data structure of the chain form. At this time, the blockchain composed of a chain data structure is operated in the form of a distributed ledger at each node without a central system.

Each blockchain node constituting the blockchain network manages the blocks in a chain-shaped data structure as shown in FIG. Here, in each block, a hash value of the previous block is recorded, and the previous block may be referred to through the hash value. Therefore, as the blocks are stacked, forgery of the data recorded in the blocks becomes more difficult, the reliability of the data is improved, and the integrity of the data can be guaranteed even in a distributed environment.

On the other hand, in a blockchain-based system, all the data recorded on the blockchain is distributed and stored in all blockchain nodes, so that it is impossible to force a specific user not to view the data for a certain period (eg, a confidentiality period). . In other words, since the data recorded on the blockchain can be inquired to all users using the blockchain, it is impossible to restrict the user's access to the data for a certain period of time.

Of course, there is a method of restricting access to other users by encrypting the data and writing it on the blockchain, but the method performs encryption before writing the data on the blockchain and decrypts it when reading the data. It causes cumbersome tasks like doing it. In addition, when the confidentiality period of the corresponding data has elapsed, there is a problem that additional work such as distributing the encryption key or rewriting the data on the blockchain after decryption is required. In addition, there is a problem in that the encryption technology is less stable with the management of the encryption key and the development of computing technology.

Accordingly, there is a demand for a method that can efficiently perform access control on data requiring access restriction for a certain period of time in a blockchain environment.

Korean Patent Publication No. 10-2017-0137388 (published Dec. 13, 2017)

SUMMARY OF THE INVENTION The present invention has been made in an effort to provide an apparatus for performing access control on a control target data given an access restriction period in a blockchain environment, and a method of operating the apparatus.

The technical problems of the present invention are not limited to the above-mentioned technical problems, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

In order to solve the above technical problem, a blockchain-based access control device according to an embodiment of the present invention, a processor, a network interface, a memory and at least one loaded in the memory, executed by the processor A program, wherein the at least one program is further configured to generate a first data piece and a second data piece based on the control target data given an access restriction period, and write the first data piece on a first blockchain; And instructions for performing an operation of processing the second piece of data to be written on the first blockchain after the access restriction period has passed. In this case, the control object data may be reproducible based on the first data piece and the second data piece.

In an embodiment, the generating of the first data piece and the second data piece includes generating the first data piece and the second data piece according to a predetermined rule, The processing of writing to the data may include processing the second data piece and the preset rule to be recorded on the first blockchain.

In at least one example embodiment, the at least one program may further include instructions for performing an operation of generating forgery prevention information on the control target data and an operation of recording the forgery prevention information on the first blockchain. In one embodiment, the processing of writing on the first blockchain is performed in response to the writing of the second piece of data on a second blockchain and the elapse of the access restriction period. And registering a smart contract on the second blockchain. In this case, the smart contract may include a routine for processing the second piece of data recorded on the second blockchain to be recorded on the first blockchain.

In accordance with another aspect of the present invention, there is provided a blockchain-based access control apparatus comprising: a processor, a network interface, a memory, and at least one loaded in the memory and executed by the processor. May include a program. The at least one program is further configured to record the control target data given the access restriction period on the first blockchain and to process the control target data to be recorded on the second blockchain after the access restriction period. Instructions for performing an operation may be included.

In one embodiment, the first blockchain may be implemented such that only a user with a specific access right is allowed, and the second blockchain may be implemented to allow access of a user without the specific right.

In one embodiment, the first blockchain may be implemented in a private blockchain network, and the second blockchain may be implemented in a public blockchain network.

In one embodiment, the processing of writing on the second blockchain includes registering a smart contract executed on the first blockchain, the smart contract being executed in response to the elapse of the access restriction period. can do. In this case, the smart contract may include a routine for processing the control target data recorded on the first blockchain to be recorded on the second blockchain.

In one embodiment, the control target data includes the first data slice of the first data slice and the second data slice generated based on the original control target data, and the at least one program includes: Before passing, the method may further include instructions for performing an operation of writing the second piece of data on the second blockchain. In this case, the original control target data may be reproducible based on the first data piece and the second data piece.

In order to solve the above technical problem, a blockchain-based access control method according to an embodiment of the present invention is a blockchain-based access control method performed by an access control device. Generating a first data piece and a second data piece based on the data; recording the first data piece on the first blockchain; and after the access restriction period, the second data piece is stored in the first data piece. Processing to be recorded on one blockchain. In this case, the control object data may be reproducible based on the first data piece and the second data piece.

The blockchain-based access control method according to another embodiment of the present invention for solving the above technical problem, in the blockchain-based access control method performed by the access control device, the control target data given an access restriction period Recording on the first blockchain and processing the data to be controlled on the second blockchain after the access restriction period has passed.

A computer program according to an embodiment of the present invention for solving the above technical problem is combined with a computing device to generate a first data piece and a second data piece based on data to be controlled given an access restriction period. Writing the first piece of data onto the first blockchain and processing the second piece of data to be written onto the first blockchain after the access restriction period has passed. It may be stored in a readable recording medium. In this case, the control object data may be regenerated based on the first data piece and the second data piece.

The computer program according to another embodiment of the present invention for solving the above-described technical problem, combined with a computing device, recording the control target data given the access restriction period on the first blockchain and the access restriction period Afterwards, the control target data may be stored in a computer-readable recording medium to execute the step of processing the data to be recorded on the second blockchain.

1 is a diagram illustrating a data structure of a blockchain that may be referred to in some embodiments of the present invention.
2 is a block diagram of an exemplary system in which an access control method according to some embodiments of the present invention may be performed.
3 and 4 are diagrams for explaining the configuration of a blockchain network that can be referred to in some embodiments of the present invention.
5 is a flowchart illustrating a blockchain-based access control method according to a first embodiment of the present invention.
6 is an exemplary diagram of a data partitioning method that may be referred to in some embodiments of the present invention.
7 is an exemplary diagram of anti-forgery information that may be referred to in some embodiments of the present invention.
8 is an exemplary view for explaining a blockchain-based access control method according to a first embodiment of the present invention.
9 and 10 are flowcharts illustrating a blockchain-based access control method according to a second embodiment of the present invention.
11 is an exemplary view for explaining an access control method according to a first use example of the present invention.
12 is an exemplary view for explaining an access control method according to a second application example of the present invention.
13 is an exemplary view for explaining an access control method according to a third application example of the present invention.
14 is a block diagram illustrating a blockchain-based access control device according to an embodiment of the present invention.
15 is a hardware block diagram of a blockchain-based access control device according to an embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but can be implemented in various different forms, and only the embodiments make the disclosure of the present invention complete, and the general knowledge in the art to which the present invention belongs. It is provided to fully inform the person having the scope of the invention, which is defined only by the scope of the claims.

In adding reference numerals to the components of each drawing, it should be noted that the same reference numerals are assigned to the same components as much as possible even though they are shown in different drawings. In addition, in describing the present invention, when it is determined that the detailed description of the related well-known configuration or function may obscure the gist of the present invention, the detailed description thereof will be omitted.

Unless otherwise defined, all terms used in the present specification (including technical and scientific terms) may be used in a sense that can be commonly understood by those skilled in the art. In addition, the terms defined in the commonly used dictionaries are not ideally or excessively interpreted unless they are specifically defined clearly. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase.

In addition, in describing the component of this invention, terms, such as 1st, 2nd, A, B, (a), (b), can be used. These terms are only for distinguishing the components from other components, and the nature, order or order of the components are not limited by the terms. If a component is described as being "connected", "coupled" or "connected" to another component, that component may be directly connected to or connected to that other component, but there may be another configuration between each component. It is to be understood that the elements may be "connected", "coupled" or "connected".

As used herein, “comprises” and / or “comprising” refers to a component, step, operation and / or element that is mentioned in the presence of one or more other components, steps, operations and / or elements. Or does not exclude additions.

Prior to the description herein, some terms used herein will be clarified.

In the present specification, a blockchain network refers to a P2P structured network composed of a plurality of blockchain nodes operating according to a blockchain algorithm / protocol.

In the present specification, a blockchain node refers to a computing node that forms a blockchain network and maintains and manages a blockchain based on a blockchain algorithm / protocol. The computing node may be implemented as a logical computing device, such as a physical computing device or a virtual machine. When the computing node is implemented as a virtual machine, a plurality of blockchain nodes may be included in one physical computing device.

In the present specification, a smart contract refers to a script or software code used for processing various transactions in a blockchain environment. More specifically, the smart contract is a code that programmatically writes various conditions, states, and behaviors according to the conditions used for transaction processing, for example, a smart contract of Ethereum, a hyper ledger fabric. Chain code and the like. In a blockchain environment, blockchain nodes share smart contracts registered on the blockchain.

In this specification, a data fragment refers to a portion of original data or a portion of data generated based on the original data. Thus, it is noted that the data fragment does not only refer to the physical portion of the original data itself. The term " fragment " may be used interchangeably with the terms chunk, segment, part, and the like in the art.

In this specification, an instruction is a series of instructions grouped by function and refers to a component of a computer program and executed by a processor.

Hereinafter, some embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is a block diagram of an exemplary system in which a blockchain based access control method according to some embodiments of the present invention may be performed.

Referring to FIG. 2, the exemplary system may include an access control device 100 and a blockchain network 200 composed of a plurality of blockchain nodes. However, this is only a preferred embodiment for achieving the object of the present invention, of course, some components may be added or deleted as necessary. In addition, each component constituting the system illustrated in FIG. 2 represents functionally distinct functional elements, and it may be noted that at least one component may be embodied in an integrated form in an actual physical environment. For example, the access control device 100 and the at least one blockchain node constituting the blockchain network 200 may be implemented with different logic in the same physical computing device.

In the exemplary system, the access control device 100 is a computing device that performs access control on the data to be controlled. Here, the computing device may be a laptop, a desktop, a laptop, and the like, but is not limited thereto and may include all kinds of devices equipped with a computing function and a communication function.

The control target data means data given a predetermined access restriction period. For example, the control target data may be data that requires confidentiality for a certain period of time. According to some embodiments of the present invention, the access restriction period may be set per user and / or per access right. In addition, the access restriction period may be set to a period between two time points at which access restriction is required, or may be set to a specific time point at which the access restriction is released.

According to an embodiment of the present invention, the access control device 100 performs an access control on the control target data on a blockchain basis. At this time, the control target data is recorded on the blockchain. Therefore, according to the present embodiment, the confidentiality of the data to be controlled may be guaranteed during the access restriction period and the integrity of the data to be controlled may also be guaranteed. A detailed description of the access control method performed by the access control apparatus 100 will be described in detail with reference to the drawings of FIG. 5.

In the example system, blockchain network 200 is a peer-to-peer network comprised by a plurality of blockchain nodes. In this case, the blockchain node is a node operating according to a blockchain algorithm (or protocol), and each blockchain node maintains the same blockchain data by the blockchain algorithm.

According to some embodiments of the invention, blockchain network 200 may maintain a plurality of blockchains. In this case, the first blockchain may be a blockchain implemented to allow access only of a specific user with access authority, and the second blockchain may be a blockchain implemented to allow access of a user regardless of access authority. In such a case, the access control apparatus 100 registers the control target data recorded on the first blockchain after the access restriction period has elapsed to the plurality of users who use the second blockchain. Access control can be performed.

The manner of implementing the plurality of blockchains may vary depending on the embodiment.

For example, as shown in FIG. 3, the blockchain network 200 is composed of a plurality of different blockchain networks 211 and 213, and each blockchain network 211 and 213 is formed of independent blockchains. It can be implemented to maintain.

For another example, as shown in FIG. 4, the blockchain network 200 may be configured as a network operated by a multi-channel, and each channel may be implemented to correspond to one blockchain. . That is, in the example shown in FIG. 4, blockchain nodes belonging to the first channel 221 in the same blockchain network 200 maintain the first blockchain, and blockchains belonging to the second channel 223. Nodes can be implemented to maintain a second blockchain.

However, the examples listed above are intended to describe some embodiments of the present invention, and the scope of the present invention is not limited to the examples listed above, and the plurality of blockchains may be implemented in various ways.

In the exemplary system, the user terminal 300 is a terminal used by the user for the purpose of registering data in the blockchain or inquiring data registered in the blockchain. The user terminal 300 may be implemented in any computing device.

The components of the system shown in FIG. 2 can communicate via a network. The network may be any type of wired / wireless network such as a local area network (LAN), a wide area network (WAN), a mobile radio communication network, a wireless broadband Internet (Wibro), or the like. Can be implemented.

So far, the exemplary system in which the access control method according to some embodiments of the present invention can be performed has been described with reference to FIGS. 2 to 4. Hereinafter, an access control method according to some embodiments of the present invention will be described with reference to FIGS. 5 through 14.

Each step of the blockchain-based access control method according to embodiments of the present invention to be described below may be performed by a computing device. For example, when the access control method is performed in the environment shown in FIG. 2, the computing device may be an access control device 100. However, for convenience of description, the description of the operation subject of each step included in the blockchain-based access control method may be omitted. In addition, each step of the access control method may be implemented by instructions of a computer program loaded in a memory and executed by a processor.

First, the access control method according to the first embodiment of the present invention will be described with reference to FIGS. 5 to 8.

5 is a flowchart illustrating an access control method according to a first embodiment of the present invention. The access control method according to the first embodiment is performed on one blockchain basis. A description with reference to FIG. 5 is as follows.

Referring to FIG. 5, the access control method according to the first embodiment starts at step S10 of receiving a request for registration of control target data from the user terminal 300. As described above, the control target data is data given a predetermined access restriction period.

In one embodiment, the access restriction period may be set by a user.

In another embodiment, the access restriction period may be automatically set by the access control device 100 or another device (e. G., User terminal 300). For example, the access restriction period may be automatically set based on the importance level of the data to be controlled. However, the manner in which the access restriction period is set may be performed in any other way.

In step S20, the registration procedure for the control target data is started in response to the registration request. In the first step S20 of the registration procedure, the access control apparatus 100 generates a plurality of data pieces from the control target data according to a preset division rule. For example, the access control apparatus 100 may generate a plurality of data pieces 245 and 247 by applying the division rule 243 specified to the control target data 241 as shown in FIG. 6. In the following description, it is assumed that the number of data fragments generated according to the partitioning rule is two for convenience of understanding. However, the scope of the present invention is not limited by the number of data fragments.

The division rule may include various kinds of rules. For example, as shown in FIG. 6, a first rule of dividing the data fragment into a physical part of the original data, a second rule of compressing the original data and dividing the data based on the compressed original data, and the original data And a third rule of dividing the data based on the encrypted original data. In addition, the division rule may include all kinds of rules for generating a plurality of pieces of data based on the original data. In addition, the partitioning rule may also include a rule for regenerating corresponding data from a plurality of pieces of data.

For reference, when a data fragment is generated according to the second rule, a constant encryption effect may be obtained according to the compression process. In addition, due to the reduction in data capacity due to compression, the storage capacity problem, which is one of the sensitive problems of the blockchain environment, may be reduced.

According to some embodiments of the present disclosure, the division rule applied to the control target data may vary depending on the importance of the control target data. For example, for controlled data with a high degree of importance (e.g. confidentiality level, security level, etc.), a stronger segmentation rule may be applied. Here, the term "high intensity" means that the data is increased by increasing the number of pieces of data to be divided, or performing further processing such as data mixing / shuffling, additional processing such as compression / encryption, and the like. This means that the difficulty of splitting / reproducing is improved. According to the present embodiment, security of data with high importance may be further improved.

In addition, according to some embodiments of the present disclosure, the access control apparatus 100 may generate a data key (ie, an identification value) for the data to be controlled. In the present embodiment, the data fragment generated in step S20 is matched with the data key, recorded on the blockchain 230, and used for inquiring control target data. However, in some embodiments, the data key may be provided from the user terminal 300.

In addition, according to some embodiments of the present disclosure, the access control apparatus 100 may generate information for preventing forgery of the control target data. The forgery prevention information may include a hash value for the entire control target data and / or a hash value for each piece of data, but may be configured in any manner as long as the forgery of the control target data can be verified. . For example, as illustrated in FIG. 7, the forgery prevention information may be configured as a merkle tree or hash tree for hash values of the respective data pieces 251 to 259. Through this, the integrity of the data to be controlled may be further strengthened. Since the Merkle tree is a concept well known in the art, a description thereof will be omitted.

Referring back to FIG. 5, in step S30, the access control apparatus 100 first registers some data pieces in the blockchain 230. For example, the access control apparatus 100 may record the first data fragment and the forgery prevention information on the blockchain 230 by matching the data key. In this step (S30), as some data pieces are first recorded in the blockchain 230, whether the control target data is registered and / or the time of registration can be guaranteed.

In operation S40, the access control apparatus 100 registers the remaining data pieces in the blockchain 230. For example, the access control apparatus 100 may record the second data fragment and the division rule in the blockchain 230 by matching the data key.

This step S40 is performed after the access restriction period of the control target data has elapsed. That is, as shown in FIG. 8, the access control apparatus 100 determines whether the access restriction period of the control target data has elapsed, and performs this step S40 in response to the elapsed determination. Therefore, some data of the control target data is not exposed to the user of the blockchain during the access restriction period, and thus the user's access to the control target data may be restricted.

After the access time limit has elapsed, if an inquiry request for the corresponding control target data is received from the user terminal 300, a data regeneration procedure may be performed. Specifically, in the data regeneration procedure, all data fragments, division rules, and anti-forgery information recorded on the blockchain are inquired, the corresponding control target data is regenerated based on the division rules, and based on the forgery prevention information. Verification on the data to be controlled may be performed. In addition, regenerated control target data may be provided in response to the inquiry request. The data regeneration procedure as described above may be performed by the access control apparatus 100, but may be performed by another apparatus.

On the other hand, in Figure 8, the second time point (T ₁₎ the first data piece 261 and the tamper protection information (267) on the first and registered on a block chain 230, the term access control lapse (T ₂ The second data piece 263 and partition rule 265 are shown as being registered. However, the type and number of data registered at the first time point T ₁ and the second time point T ₂ may vary. For example, only the first data piece 261 may be registered in the blockchain at the first time point T ₁ , and the remaining data 263 to 267 may be registered in the blockchain at the second time point T ₂ .

So far, the access control method according to the first embodiment of the present invention has been described with reference to FIGS. According to the above-described method, by registering some data on the blockchain and registering the remaining data on the blockchain at the time after the access restriction period has passed, the blockchain ensures the registration timing of the control data and the integrity of the control data. Can be. In addition, conventionally, even if data is given a confidentiality period, it is impossible to prevent access behavior such as data viewing after being registered in the public-based blockchain. However, according to the above method, since the access control can be performed even in a public-based blockchain environment by registering some divided data after the confidentiality period has elapsed, the confidentiality of the data is also guaranteed during the confidentiality period. Can be. In addition, since there is no need to manage a separate access control list (access control list) it is possible to efficiently access control. In addition, since the public-based blockchain does not need to be rebuilt as a private-based blockchain for access control, human costs, time costs, and computing costs for rebuilding can be greatly reduced.

Hereinafter, an access control method according to a second embodiment of the present invention will be described with reference to FIGS. 9 and 10. Hereinafter, a description will be given with reference to the drawings below with reference to FIG. 9, and descriptions of the same contents as the above-described embodiments will be omitted.

9 is a flowchart illustrating an access control method according to a second embodiment of the present invention.

As shown in FIG. 9, the access control method according to the second embodiment is performed based on a plurality of blockchains 271 and 273. In this case, the first blockchain 271 refers to a blockchain implemented such that even an unauthorized user (or a user who has access to the data after an access restriction period) is allowed to access. For example, the first blockchain 271 may be implemented in a public blockchain network in which access control for a user is not performed. The second blockchain 273 indicates a blockchain accessible only by a user who has access authority (or a user who can access even during an access restriction period). For example, the second blockchain 273 may be implemented in a private blockchain network that allows access control for a specific user. However, both the first blockchain 271 and the second blockchain 271 may be implemented in a private blockchain network, which may vary depending on the embodiment.

In more detail with respect to the access control method, the access control method according to the second embodiment also begins in step S100 of receiving a registration request for the control target data.

In operation S110, the access control apparatus 100 generates a plurality of pieces of data based on the access control target data according to a preset division rule. Description of this step (S110) is the same as described above, so it will be omitted.

In operation S120, the access control apparatus 100 registers meta information such as a data key in the second blockchain 273 together with the generated plurality of pieces of data. Since the second blockchain 273 can be accessed only by a user having access authority, even though all data are registered, the control target data is not exposed to a user without access authority.

In operation S130, the access control apparatus 100 registers some data pieces in the first blockchain 271. In this step S130, even if some pieces of data are recorded on the first blockchain 271, since the regeneration of the control target data is impossible, the control target data is not exposed to a user without access authority.

In step S140, after the access restriction period has elapsed, the access control device 100 registers the remaining pieces of data in the first blockchain 271. For example, the access control apparatus 100 may determine whether an access restriction period of the control target data has elapsed, and record the remaining pieces of data on the first blockchain 271 in response to the elapsed determination. . Accordingly, since the exposure time point of the control target data is determined to be a time point after the access restriction period elapses, the access control to the control target data may be performed during the access restriction period.

Meanwhile, according to another embodiment of the present invention, the step S140 may be performed by a smart contract. Specifically, as shown in FIG. 10, the access control apparatus 100 registers a predetermined smart contract in advance in the second blockchain 273. The smart contract is executed in response to the determination of the elapse of the access restriction period, and includes a routine for processing some pieces of data recorded on the second blockchain 273 to be recorded on the first blockchain 271. It's a smart contract. Therefore, when the access restriction period elapses, the smart contract is executed (S240), and the remaining data pieces may be recorded on the first blockchain 270 by the smart contract (S250). According to the present embodiment, the step S140 is automatically performed on the blockchain using the smart contract shared on the blockchain. Therefore, the load of the access control apparatus 100 is reduced, and the secure processing of the step S140 may be guaranteed through a blockchain technology that guarantees the safety of transaction processing. In addition, all data (eg data fragments, anti-forgery information, and division rules) required for the regeneration of the data to be controlled are recorded directly on the blockchain, thereby minimizing the period in which the access control device 100 stores the data. As such, the integrity and security of the data to be controlled may be further improved.

For reference, in FIG. 10, the smart contract is shown to be registered in the second blockchain 273 together with the data fragments generated in the second blockchain 273, but the smart contract is registered in the second blockchain 273. The time to be registered in may vary depending on the embodiment.

In addition, in FIGS. 9 and 10, steps S110 and S210 of generating a plurality of data pieces may be omitted according to an exemplary embodiment. In this case, the entire control target data may first be registered in the second blockchain 273, and the entire control target data may be registered in the first blockchain 271 when the access restriction period has elapsed.

So far, the access control method according to the second embodiment of the present invention has been described with reference to FIGS. 9 and 10. According to the above-described method, the access control can be effectively performed for a plurality of users by delaying the time when the control target data is registered on the blockchain used by the plurality of users for the access restriction period. Accordingly, unlike the related art, separate processing such as encryption does not need to be performed to perform access control, and access control list can be efficiently performed since there is no need to separately manage the access control list. In addition, unlike the related art, even when the first blockchain 271 is implemented as a public blockchain, access control to a user may be performed.

In the following, in order to provide a more convenient understanding, it will be described with respect to specific application examples of the present invention based on the above-described contents.

First, with reference to FIG. 11, the 1st utilization example of this invention is demonstrated.

In the first use case, the first blockchain 281 is a blockchain implemented to allow access of all users A and B. The first blockchain 281 may be implemented in a public blockchain network, or may be implemented in a manner that allows access to all users A and B in a private blockchain network.

The second blockchain 283 is a blockchain implemented such that only access to a specific user A with access permission is allowed. The second blockchain 283 may be implemented in a manner of granting access rights only to a specific user A in the private blockchain network.

When the first blockchain 281 and the second blockchain 283 are implemented as shown in FIG. 11, the user A having access rights can access the second blockchain 283 even during the access restriction period. Control target data can be used.

In addition, the user B cannot access the data to be controlled during the access restriction period, and after the entire data 261 to 267 are registered in the first blockchain 281, the user B may access the data through the first blockchain 281. Control target data can be used.

As such, according to the first application example, access control may be performed for each user (A, B) (or for each access right) based on the blockchains 281 and 283. For example, if the user A is the creator or registrant of the control target data, the access control may be performed such that only the creator or registrant can access the data and other users cannot access the data during the access restriction period.

Next, with reference to FIG. 12, the 2nd utilization example of this invention is demonstrated.

As shown in FIG. 12, in the second application example, access control is performed using four or more blockchains 291, 293, 295, and 297, and different access restriction periods are applied for each access right. Specifically, the first access restriction period is applied to the user A having the first access right, the second access restriction period is applied to the user B having the second access right, and the first access restriction period is applied to the user A without the access right. 3 Access restriction periods apply. In addition, access control is performed so that the registrant of the control target data can access the control target data regardless of the access restriction period.

In the second use case, the first blockchain 291 is a blockchain implemented to allow access to all users. Therefore, after the third access restriction period has elapsed, the remaining data 265 and 267 are registered in the first blockchain 291, and the control target data is exposed to all users after the third access restriction period has elapsed. do. As described above, the registration of the remaining data 265 and 267 may be directly performed by the access control apparatus 100 or may be performed by the smart contract.

The second blockchain 293 is a blockchain implemented such that only a specific user B (or a user having a second access right) is allowed to access. Therefore, after the second access restriction period has elapsed, the remaining data 265 and 267 are registered in the second blockchain 293. 12 illustrates that data 265 and 267 recorded on the fourth blockchain 297 are registered in the second blockchain 293, but the data recorded on the third blockchain 295 is illustrated. It goes without saying that 265 and 267 may operate to be registered in the second blockchain 295.

The third blockchain 295 is a blockchain implemented such that only a specific user A (or a user having a first access right) is allowed to access. Therefore, after the first access restriction period has elapsed, the remaining data 265 and 267 are registered in the third blockchain 295.

The fourth blockchain 297 is a blockchain implemented such that only the registrant is allowed access. Since all data 261 to 267 are registered in the fourth blockchain 297 at the time of data registration, the registrant can use the control target data regardless of the access restriction period.

As described above, according to the second use example, access control may be performed by access authority (or by user) by delaying the registration time of some data 265 and 267 by access authority (or by user). . Conventionally, in order to perform access control by access authority and / or user, there has been a burden of maintaining and managing a complicated access control list. However, according to the above-described applications, since there is no need to manage a separate access control list, access control can be efficiently performed, and a complex access control function for each user and / or access authority even in a blockchain environment. This may be provided.

Next, a third application example of the present invention will be described with reference to FIG.

As shown in FIG. 13, the third use example performs access control by access authority (or user) in the same manner as the second use example, but uses only three blockchains 301, 303, and 305. .

In the third use example, the first blockchain 301 is a blockchain implemented to allow access to all users, which is the same as the second use example described above.

The second blockchain 301 is a blockchain implemented so that only a registrant and a specific user B (or a user having a second access right) are allowed to access. Therefore, after the second access restriction period has elapsed, the remaining data 265 and 267 are registered in the second blockchain 293.

The third blockchain 305 is a blockchain implemented such that only a registrant and a specific user A (or a user having a first access right) are allowed to access. Therefore, after the first access restriction period has elapsed, the remaining data 265 and 267 are registered in the third blockchain 305.

In the fourth application example, some of the data generated from the data to be controlled 265 and 267 are directly registered in the second blockchain 303, and the remaining parts 261 and 267 are stored in the third blockchain 305. It is registered immediately. Therefore, only registrants who have access to the two blockchains 303 and 305 can use the control target data regardless of the access restriction period. In addition, the users A and B cannot use the control target data until the access restriction period set for each user elapses.

So far, some applications of the present invention have been described with reference to FIGS. 11 to 13. However, it should be noted that some of the above-described applications are merely provided for convenience of understanding of the present invention, and the scope of the present invention is not limited by the above-described applications.

According to some applications described above, a confidential document management system for performing access control on a user-by-user basis for a confidential document can be easily constructed. At this time, the confidential document management system is a system for managing a document that needs to be kept confidential for a certain period of time. In the case of confidential documents, the confidentiality of the documents must be ensured during the confidentiality period, as well as the integrity of the documents. In addition, in the case of confidential documents, different access rights may be granted for each user. According to the above-described applications, a flexible access control function can be provided for each user and / or access authority without an access control list using a plurality of blockchains, and the integrity of confidential documents can also be guaranteed due to the characteristics of the blockchain. Can be. In addition, unlike the digital rights management (DRM) solution commonly used for managing confidential documents, no encryption is required. Therefore, the confidential document management system constructed in accordance with the above-described applications has a problem of managing encryption keys. With the development of computing technology, the stability of encryption technology is free from problems.

Hereinafter, the configuration and operation of the access control apparatus 100 that performs the access control method according to some embodiments described above will be described with reference to FIGS. 14 and 15.

14 is a block diagram illustrating an access control apparatus 100 according to an embodiment of the present invention.

Referring to FIG. 14, the access control apparatus 100 may include a data divider 110, a data register 130, a blockchain interworking unit 140, a data request processor 150, and a data regenerator 160. Can be. However, FIG. 14 shows only the components related to the embodiment of the present invention. Accordingly, it will be appreciated by those skilled in the art that other general purpose components may be further included in addition to the components illustrated in FIG. 14. In addition, each component of the access control apparatus 100 illustrated in FIG. 14 represents functionally divided functional elements, and may be implemented in a form in which at least one component is integrated with each other in an actual physical environment. do.

Looking at each component, the data dividing unit 110 divides the control target data according to the dividing rule 120 in response to the registration request. As mentioned in some embodiments described above, the data dividing unit 110 may generate a plurality of data fragments, data keys, anti-forgery information, and the like from the control target data according to the dividing rule 120.

The data registration unit 130 registers the data generated by the data division unit 110 (e.g. a plurality of data fragments, data keys, anti-forgery information) and the division rule used on the blockchain. The registration process may be performed through the blockchain interworking unit 140.

As mentioned in some of the above-described embodiments, the data register 130 registers some data pieces on the blockchain at a first time point, and the remaining data pieces at the second time point when a set access restriction period has elapsed. Register on the chain. As such, access control by access authority and / or user may be performed by controlling the timing at which some data is registered on the blockchain. Detailed description thereof is as described above and will be omitted.

The blockchain interworking unit 140 performs various interworking functions such as communication and message conversion between the blockchain network 200 and the access control device 100.

The data request processing unit 150 obtains data such as a plurality of pieces of data, division rules, and forgery and alteration information recorded on the blockchain in response to an inquiry request for control data. For example, the data request processing unit 150 may obtain the data by querying the blockchain with the data key of the corresponding control target data.

The data regeneration unit 160 regenerates the control target data requested from the plurality of data pieces. For example, the data regenerating unit 160 regenerates the requested control target data by verifying the plurality of pieces of data by using forgery and alteration prevention information, and combining the plurality of pieces of data in response to the determination that the pieces of data are valid. The combining process may be performed using the division rule, and a description thereof will be omitted since it may obscure the subject matter of the present invention.

Meanwhile, according to another exemplary embodiment of the present invention, the data request processor 150 and the data regenerator 160 may be excluded from the components of the access control apparatus 100. For example, the functions of the data request processor 150 and the data regenerator 160 may be implemented in other devices that process the data inquiry request. Alternatively, the user terminal 300 may directly query the blockchain to obtain a plurality of pieces of data, and regenerate the control target data with reference to the division rule.

Each component of the access control apparatus 100 illustrated in FIG. 14 may refer to software or hardware such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). However, the components are not limited to software or hardware, and may be configured to be in an addressable storage medium, or may be configured to execute one or more processors. The functions provided in the above components may be implemented by more detailed components, or may be implemented as one component that performs a specific function by combining a plurality of components.

15 is a block diagram illustrating a hardware configuration of a blockchain-based access control device 100 according to an embodiment of the present invention.

Referring to FIG. 15, the access control apparatus 100 may include a memory 103 that loads one or more processors 101, a bus 105, a network interface 107, and a computer program executed by the processor 101. And a storage 109 for storing the computer program 109a. However, FIG. 15 shows only the components related to the embodiment of the present invention. Therefore, it will be appreciated by those skilled in the art that the present invention may further include other general purpose components in addition to the components illustrated in FIG. 15.

The processor 101 controls the overall operation of each component of the access control device 100. The processor 101 includes a central processing unit (CPU), a micro processor unit (MPU), a micro controller unit (MCU), a graphics processing unit (GPU), or any type of processor well known in the art. Can be. In addition, the processor 101 may perform an operation on at least one application or program for executing a method according to embodiments of the present invention. The access control device 100 may include one or more processors.

The memory 103 stores various data, commands and / or information. The memory 103 may load one or more programs 109a from the storage 109 to execute a blockchain-based access control method according to embodiments of the present invention. In FIG. 15, RAM is illustrated as an example of the memory 103.

The bus 105 provides a communication function between the components of the access control apparatus 100. The bus 105 may be implemented as various types of buses such as an address bus, a data bus, and a control bus.

The network interface 107 supports wired and wireless Internet communication of the access control device 100. In addition, the network interface 107 may support various communication methods other than Internet communication. To this end, the network interface 107 may be configured to include a communication module well known in the art.

The storage 109 may non-temporarily store the one or more programs 109a.

The storage 109 is well-known in the technical field to which a non-volatile memory such as a read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EPROM), flash memory, or the like, a hard disk, a removable disk, or the present invention. It may comprise any known type of computer readable recording medium.

The computer program 109a is loaded into the memory 103 and includes a series of instructions that cause the one or more processors 101 to execute the blockchain based access control method according to some embodiments of the invention described above. can do. That is, the computer program 109a may include instructions for causing the access control apparatus 100 to perform operations corresponding to each step of the blockchain-based access control method according to some embodiments of the present invention described above. .

For example, the computer program 109a generates an first data fragment and a second data fragment based on the control target data given the access restriction period, and records the first data fragment on the first blockchain. And after the access restriction period, instructions for performing the operation of processing the second data piece to be written on the first blockchain.

For example, in a second example, the computer program 109a writes the control target data given the access restriction period on the first blockchain, and after the access restriction period passes, the control target data is stored on the second blockchain. Instructions to perform an operation for processing to be recorded in the.

In addition, the computer program 109a may include instructions for performing an operation according to some embodiments described above.

So far, some embodiments of the present invention have been described with reference to FIGS. 2 to 15 and the effects according to the above embodiments have been mentioned. Effects of the present invention are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

The concepts of the present invention described above with reference to FIGS. 2 through 15 may be implemented in computer readable code on a computer readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray disc, USB storage device, removable hard disk) or a fixed recording medium (ROM, RAM, computer equipped hard disk). Can be. The computer program recorded on the computer-readable recording medium may be transmitted to another computing device and installed in the other computing device through a network such as the Internet, thereby being used in the other computing device.

In the above description, all elements constituting the embodiments of the present invention are described as being combined or operating in combination, but the present invention is not necessarily limited to the embodiments. In other words, within the scope of the present invention, all of the components may be selectively operated in combination with one or more.

Although the operations are shown in a specific order in the drawings, it should not be understood that the operations must be performed in the specific order or sequential order shown or that all the illustrated operations must be executed to achieve the desired results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of the various configurations in the embodiments described above should not be understood as such separation being necessary, and the described program components and systems may generally be integrated together into a single software product or packaged into multiple software products. Should be understood.

Although embodiments of the present invention have been described above with reference to the accompanying drawings, those skilled in the art to which the present invention pertains may implement the present invention in other specific forms without changing the technical spirit or essential features thereof. I can understand that. Therefore, it is to be understood that the embodiments described above are exemplary in all respects and not restrictive. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present invention.

Claims (20)

A processor;
Network interface;
Memory; And
At least one program loaded in the memory and executed by the processor,
The at least one program,
Generating a first data piece and a second data piece based on the controlled object data given the access restriction period;
Writing the first piece of data onto a first blockchain; and
Instructions for causing the second data piece to be written on the first blockchain after the access restriction period,
The control object data may be reproducible based on the first data piece and the second data piece.
Blockchain based access control device. According to claim 1,
Generating the first data piece and the second data piece,
Generating the first data piece and the second data piece according to a preset rule;
The operation of processing to be recorded on the first blockchain,
And processing the second data piece and the preset rule to be recorded on the first blockchain.
Blockchain based access control device. According to claim 1,
Generating the first data piece and the second data piece,
Generating the first data piece and the second data piece according to a preset rule;
The predetermined rule is characterized in that it is determined based on the importance of the control target data,
Blockchain based access control device. According to claim 1,
Generating the first data piece and the second data piece,
Compressing the control target data; And
And generating the first data piece and the second data piece based on the compressed control target data.
Blockchain based access control device. According to claim 1,
The at least one program,
Generating forgery prevention information on the control target data; and
Further comprising instructions for performing the operation of recording the forgery prevention information on the first blockchain,
Blockchain based access control device. The method of claim 5,
The forgery and alteration prevention information,
And first information that prevents forgery of the first data piece and second information that prevents forgery of the second data piece.
Blockchain based access control device. The method of claim 6,
The forgery and alteration prevention information is composed of a merkle tree,
The first information and the second information, characterized in that corresponding to the lower node of the Merkle tree,
Blockchain based access control device. According to claim 1,
The operation of processing to be recorded on the first blockchain,
Determining whether the access restriction period has elapsed; and
And in response to the progress determination, writing the second piece of data onto the first blockchain.
Blockchain based access control device. According to claim 1,
The operation of processing to be recorded on the first blockchain,
Writing the second piece of data onto a second blockchain; and
Registering a smart contract executed in response to the elapse of the access restriction period on the second blockchain,
The smart contract,
And a routine for processing the second piece of data written on the second blockchain to be written on the first blockchain.
Blockchain based access control device. The method of claim 9,
The second blockchain is implemented such that only a user having a specific access right is allowed.
The first blockchain is characterized in that it is implemented to allow access of a user without the specific access rights,
Blockchain based access control device. According to claim 1,
The first data piece and the data piece,
Matched to an identification value and written on the first blockchain,
Characterized in that the inquiry through the identification value,
Blockchain based access control device. The method of claim 11, wherein
The at least one program,
Receiving an inquiry request for the control target data together with the identification value after the access restriction period,
In response to the inquiry request, querying the data written on the first blockchain with the identification value, and obtaining the first data fragment and the second data fragment as a result of the inquiry;
Regenerating the control object data based on the first data piece and the second data piece; and
And instructions for performing the operation of providing the regenerated control target data.
Blockchain based access control device. A processor;
Network interface;
Memory; And
At least one program loaded in the memory and executed by the processor,
The at least one program,
Recording the controlled data on the first blockchain given the access restriction period; and
And after the access restriction period, instructions for performing an operation of processing the data to be controlled to be written on the second blockchain.
Blockchain based access control device. The method of claim 13,
The first blockchain is implemented so that only a user with a specific access right is allowed.
The second blockchain is characterized in that it is implemented to allow access of a user without the specific access rights,
Blockchain based access control device. The method of claim 13,
The first blockchain is implemented in a private blockchain network,
The second blockchain is characterized in that implemented in a public blockchain network (public blockchain network),
Blockchain based access control device. The method of claim 13,
The first blockchain corresponds to a first channel operated in a multi-channel based blockchain network,
The second blockchain is characterized in that corresponding to the second channel operated in the blockchain network,
Blockchain based access control device. The method of claim 13,
The operation of processing to be recorded on the second blockchain,
Determining whether the access restriction period has elapsed; and
And in response to the progress determination, recording the control target data on the second blockchain.
Blockchain based access control device. The method of claim 13,
The operation of processing to be recorded on the second blockchain,
Registering a smart contract executed in response to the elapse of the access restriction period on the first blockchain,
The smart contract,
And a routine for processing the control target data recorded on the first blockchain to be recorded on the second blockchain.
Blockchain based access control device. The method of claim 13,
The control object data includes the first data piece of the first data piece and the second data piece generated based on the original control object data;
The at least one program,
Further comprising instructions to perform an operation of writing the second piece of data onto the second blockchain before the access restriction period has elapsed,
The original control target data is reproducible based on the first data piece and the second data piece,
Blockchain based access control device. The method of claim 19,
The first data piece and the second data piece are generated according to a preset rule.
The predetermined rule is recorded on the second blockchain.
Blockchain based access control device.

Images