WO2020224138A1 - Blockchain technology-based multi-party authorization method and device - Google Patents

Blockchain technology-based multi-party authorization method and device Download PDF

Info

Publication number
WO2020224138A1
WO2020224138A1 PCT/CN2019/104329 CN2019104329W WO2020224138A1 WO 2020224138 A1 WO2020224138 A1 WO 2020224138A1 CN 2019104329 W CN2019104329 W CN 2019104329W WO 2020224138 A1 WO2020224138 A1 WO 2020224138A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
authorized
uploaded
party
subkeys
Prior art date
Application number
PCT/CN2019/104329
Other languages
French (fr)
Chinese (zh)
Inventor
何军
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020224138A1 publication Critical patent/WO2020224138A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • This application relates to the field of blockchain technology, in particular to a multi-party authorization method and device based on blockchain technology.
  • the authorization of data on the blockchain is usually one-to-one.
  • multiple nodes are required to complete the authorization of a node before the authorization is successful.
  • the one-to-one authorization scheme It cannot meet the needs. Therefore, how to ensure the security of data in the multi-party authorization situation has become an urgent problem to be solved.
  • the embodiments of the present application provide a multi-party authorization method and device based on blockchain technology to solve the problem of low data security related to multi-party authorization in the prior art.
  • a multi-party authorization method based on blockchain technology includes:
  • a multi-party authorization device based on blockchain technology.
  • the device includes a first obtaining unit for obtaining an authorization request uploaded by an authorized party, wherein the The authorization request is associated with multiple authorized parties; the second obtaining unit is configured to, in response to the authorization request, obtain the authorization data package uploaded by the primary authorized party among the multiple authorized parties, wherein the uploaded
  • the authorization data packet is encrypted using a first key, and the first key includes a plurality of subkeys, and each of the subkeys corresponds to one of the authorized parties;
  • the third obtaining unit is configured to obtain the A plurality of said sub-keys uploaded by the authorized party; a splicing unit for splicing a plurality of said sub-keys by a preset algorithm to obtain a second key; a matching unit for combining the second secret
  • the key is matched with the first key, and when the match is successful, the authorized data packet is decrypted and authorized to the authorized party.
  • a computer non-volatile storage medium includes a stored program.
  • the program When the program is running, the device where the storage medium is located is controlled to execute the foregoing Multi-party authorization method of blockchain technology.
  • a computer device including a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes all
  • the computer program implements the steps of the above-mentioned multi-party authorization method based on blockchain technology.
  • Fig. 1 is a flowchart of an optional multi-party authorization method based on blockchain technology provided by an embodiment of the present application
  • FIG. 2 is a schematic diagram of an optional multi-party authorization device based on blockchain technology provided by an embodiment of the present application
  • Fig. 3 is a schematic diagram of an optional computer device provided by an embodiment of the present application.
  • first, second, third, etc. may be used to describe terminals in the embodiments of the present application, these terminals should not be limited to these terms. These terms are only used to distinguish terminals from each other.
  • first obtaining unit may also be referred to as the second obtaining unit, and similarly, the second obtaining unit may also be referred to as the first obtaining unit.
  • the word “if” as used herein can be interpreted as “when” or “when” or “in response to determination” or “in response to detection”.
  • the phrase “if determined” or “if detected (statement or event)” can be interpreted as “when determined” or “in response to determination” or “when detected (statement or event) )” or “in response to detection (statement or event)”.
  • Fig. 1 is a flowchart of a multi-party authorization method based on blockchain technology according to an embodiment of the present application. As shown in Fig. 1, the method includes:
  • Step S101 Obtain an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties.
  • Step S102 in response to the authorization request, obtain the authorization data package uploaded by the main authorizer among the multiple authorization parties, where the uploaded authorization data package is encrypted using a first key, and the first key includes multiple subkeys, Each subkey corresponds to an authorized party.
  • Step S103 Obtain multiple subkeys uploaded by the authorized party.
  • step S104 a plurality of sub-keys are spliced by a preset algorithm to obtain a second key.
  • step S105 the second key is matched with the first key.
  • the authorization data packet is decrypted and authorized to the authorized party.
  • the second key that matches the first key cannot be restored.
  • the call of a certain contract document requires multiple approvers to authorize. After the main custodian of the contract document is authorized, the remaining approvers need to authorize their subkeys to the caller one by one. After the caller collects the subkeys, Only then can the called contract file be opened.
  • the method before obtaining the authorization data package uploaded by the main authorizer among the multiple authorizers in response to the authorization request, includes: in response to the authorization request, generating a first key; the first key includes a plurality of subkeys , The subkey is a hash value obtained by hashing the identity information of an authorized party; each subkey in the first key is marked with an identifier corresponding to an authorized party.
  • the authorizing party's identity information may be the authorizing party's name, ID identification, mailbox, and other unique identity information bound to the authorizing party.
  • Hashing also called hashing
  • hashing is to transform an input of any length into a fixed-length output through a hashing algorithm, and the output is the hash value.
  • the hash operation can be divided into multiple types, such as 16-bit hash operation, 32-bit hash operation, and 128-bit hash operation.
  • each subkey is a 32-bit hash value.
  • the first key is a 128-bit hash sequence, which is divided into a first subkey of 1 to 32 bits and a first subkey of 33 to 64 bits. Two subkeys, a third subkey of 65 to 96 bits, and a fourth subkey of 97 to 128 bits.
  • the subkey includes a shared hash value and a private hash value.
  • the subkey is a 32-bit hash value, where the first 16 bits of the hash value are the shared hash value, and the last 16 bits of the hash value are the private hash value obtained by hashing the identity information of each authorized party.
  • the shared hash value is a hash value obtained by hashing the identity information of the authorization data packet. For example, the number of the contract to be authorized, or the name of the document to be authorized.
  • the hash operation includes any one of a message digest algorithm and a standard algorithm for secure messy information, all of which have good compressibility, collision resistance, and modification resistance, and are easy to calculate. It can be understood that because the hash operation has the irreversible feature, that is, the original string before the operation cannot be recovered through the hash sequence. Therefore, the third party cannot obtain the identity information of multiple authorized parties of the authorized data package, and cannot steal the authorized data package through private authorization, thereby protecting the security of the authorized data package.
  • the method of concatenating multiple subkeys to obtain the second key by using a preset algorithm includes:
  • the subkey uploaded by the authorized party is provided with an identifier, and the subkey is matched with the subkey with the same identifier in the first key according to this identifier.
  • the complete sequence of the first key is A (first subkey) + B (second subkey) + C (third subkey) + D (fourth subkey), then according to the subkey
  • the sequence of the key identifiers is to splice the sub-keys. If C is missing, then the complete hash sequence cannot be spliced. If the sequence is inconsistent, the first key and the second key cannot be matched successfully.
  • a (first sub-key) matches the sequence of part A in the complete sequence of the first key. If the matching is successful, it means that the authorization of the authorized party is successful.
  • the subkeys of the four authorized parties of A, B, C, and D are all matched successfully, the authorization data packet can be decrypted and authorized successfully.
  • the method further includes:
  • the public key of the authorizing party to encrypt the subkeys corresponding to the authorizing party in the first key one by one; send the second encrypted first key to each authorizing party, where the authorizing party will be able to
  • the subkey decrypted with the private key is sent to the authorized party, and the private key and the public key are a pair of asymmetric keys of the authorized party.
  • the sub-key to be distributed is encrypted with the public key of the recipient, so even if the sub-key is acquired by other nodes This subkey cannot be opened to obtain the correct hash sequence. Only the party who owns the private key paired with the public key can decrypt the subkey and obtain the correct hash sequence.
  • the encrypted complete first key can be sent to each authorized party, or the first key can be The subkey associated with the authorizing party ID is sent to the authorizing party separately. Understandably, in the above-mentioned sub-key distribution method, the authorized party can only use the private key to decrypt one of the sub-keys, thereby further ensuring the security of the authorized data package.
  • the remainder function is the remainder operation on the prime number p after calculating the result of the linear polynomial, and each subkey can be calculated by the specific value of x.
  • x 1 is 1, x 2 is 2, x 3 is 3, then f(x 1 ) is (a 0 +a 1 )mod(p), f(x 2 ) is (a 0 +2a 1 )mod (p), f(x 3 ) is (a 0 +3a 1 +9a 2 ) mod(p).
  • random numbers, prime numbers, and preset calculation methods are used to automatically generate the required number of sub-keys for the first key K 1.
  • the generated sub-keys are highly secure and difficult to be cracked, thereby guaranteeing authorized data Security of the package.
  • the method of splicing multiple sub-keys through a preset algorithm to obtain the second key includes: recovering the multiple sub-keys by using a Lagrangian interpolation formula to obtain the second key.
  • the embodiment of the application provides a multi-party authorization device based on blockchain technology.
  • the device is used to execute the above-mentioned multi-party authorization method based on blockchain technology.
  • the device includes: a first obtaining unit 10, The second acquiring unit 20, the third acquiring unit 30, the splicing unit 40, and the matching unit 50.
  • the first obtaining unit 10 is configured to obtain an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties;
  • the second acquiring unit 20 is configured to, in response to the authorization request, acquire the authorization data package uploaded by the main authorizer among the multiple authorization parties, where the uploaded authorization data package is encrypted using a first key, and the first key includes Multiple sub-keys, each sub-key corresponds to an authorized party;
  • the third obtaining unit 30 is configured to obtain multiple subkeys uploaded by the authorized party
  • the splicing unit 40 is used for splicing multiple sub-keys using a preset algorithm to obtain a second key
  • the matching unit 50 is configured to match the second key with the first key. When the matching is successful, the data packet is authorized to be decrypted and authorized to the authorized party.
  • the second key that matches the first key cannot be restored.
  • the call of a certain contract document requires multiple approvers to authorize. After the main custodian of the contract document is authorized, the remaining approvers need to authorize their subkeys to the caller one by one. After the caller collects the subkeys, Only then can the called contract file be opened.
  • the device further includes: a first generating unit and a labeling unit.
  • the first generating unit is configured to generate a first key in response to the authorization request before obtaining the authorization data package uploaded by the main authorizer among the multiple authorized parties.
  • the first key includes multiple sub-keys, and the sub-keys are A hash value obtained by hashing the identity information of an authorizing party; the labeling unit is used to label each subkey in the first key with an identity of the authorizing party.
  • the authorizing party's identity information may be the authorizing party's name, ID identification, mailbox, and other unique identity information bound to the authorizing party.
  • Hashing also called hashing
  • hashing is to transform an input of any length into a fixed-length output through a hashing algorithm, and the output is the hash value.
  • the hash operation can be divided into multiple types, such as 16-bit hash operation, 32-bit hash operation, and 128-bit hash operation.
  • each subkey is a 32-bit hash value.
  • the first key is a 128-bit hash sequence, which is divided into a first subkey of 1 to 32 bits and a first subkey of 33 to 64 bits. Two subkeys, a third subkey of 65 to 96 bits, and a fourth subkey of 97 to 128 bits.
  • the subkey includes a shared hash value and a private hash value.
  • the subkey is a 32-bit hash value, where the first 16-bit hash value is a shared hash value, and the last 16-bit hash value is a private hash value obtained by hashing the identity information of each authorized party.
  • the shared hash value is a hash value obtained by hashing the identity information of the authorization data packet. For example, the number of the contract to be authorized, or the name of the document to be authorized.
  • the hash operation includes any of the information-digest algorithm 5, the information-digest algorithm 4, and the standard algorithm for secure messy information, all of which have good compressibility, collision resistance, and modification resistance, and are easy to calculate . It can be understood that because the hash operation has the irreversible feature, that is, the original string before the operation cannot be recovered through the hash sequence. Therefore, the third party cannot obtain the identity information of multiple authorized parties of the authorized data package, and cannot steal the authorized data package through private authorization, thereby protecting the security of the authorized data package.
  • the splicing unit 40 includes a determining subunit and a matching subunit.
  • the determining sub-unit is used to determine whether the number of sub-keys uploaded by the authorized party is the same as the number of sub-keys in the first key; the matching sub-unit is used to upload the sub-keys according to the identifier of the authorized party if they are the same.
  • the keys are spliced to obtain the second key.
  • the subkey uploaded by the authorized party is provided with an identifier, and the subkey is matched with the subkey with the same identifier in the first key according to this identifier.
  • the complete sequence of the first key is A (first subkey) + B (second subkey) + C (third subkey) + D (fourth subkey), then according to the subkey
  • the sequence of the key identifiers is to splice the sub-keys. If C is missing, then the complete hash sequence cannot be spliced. If the sequence is inconsistent, the first key and the second key cannot be matched successfully.
  • a (first sub-key) matches the sequence of part A in the complete sequence of the first key. If the matching is successful, it means that the authorization of the authorized party is successful.
  • the subkeys of the four authorized parties of A, B, C, and D are all matched successfully, the authorization data packet can be decrypted and authorized successfully.
  • the device further includes an encryption unit and a sending unit.
  • the encryption unit is used to use the public key of the authorized party to perform secondary encryption on the sub-keys corresponding to the authorized party in the first key one by one before obtaining the multiple sub-keys uploaded by the authorized party; the sending unit uses Send the second encrypted first key to each authorized party, where the authorized party sends the sub-key that can be decrypted with the private key to the authorized party, and the private key and public key are a pair of asymmetrical Key.
  • the sub-key to be distributed is encrypted with the public key of the recipient, so even if the sub-key is acquired by other nodes This subkey cannot be opened to obtain the correct hash sequence. Only the party who owns the private key paired with the public key can decrypt the subkey and obtain the correct hash sequence.
  • the encrypted complete first key can be sent to each authorized party, or the first key can be The subkey associated with the authorizing party ID is sent to the authorizing party separately. Understandably, in the above-mentioned sub-key distribution method, the authorized party can only use the private key to decrypt one of the sub-keys, thereby further ensuring the security of the authorized data package.
  • the device further includes a second generating unit, a construction unit, a setting unit, and a distribution unit.
  • the second generating unit is used to generate the first key K 1 in response to the authorization request, the first key K 1 is used to encrypt the authorization data package uploaded by the main authorizer;
  • the distribution unit is used to transfer the subkey (x 1 , f(x 1 )) ,..., subkeys (x n
  • the remainder function is the remainder operation on the prime number p after calculating the result of the linear polynomial, and each subkey can be calculated by the specific value of x.
  • x 1 is 1, x 2 is 2, x 3 is 3, then f(x 1 ) is (a 0 +a 1 )mod(p), f(x 2 ) is (a 0 +2a 1 )mod (p), f(x 3 ) is (a 0 +3a 1 +9a 2 )mod(p).
  • random numbers, prime numbers, and preset calculation methods are used to automatically generate the required number of sub-keys for the first key K 1.
  • the generated sub-keys are highly secure and difficult to be cracked, thereby guaranteeing authorized data Security of the package.
  • the method of splicing multiple sub-keys through a preset algorithm to obtain the second key includes: recovering the multiple sub-keys by using a Lagrangian interpolation formula to obtain the second key.
  • the embodiment of the present application provides a computer non-volatile storage medium, the storage medium includes a stored program, wherein the device where the storage medium is located is controlled to perform the following steps when the program runs:
  • the first key performs encryption processing.
  • the first key includes multiple sub-keys, and each sub-key corresponds to an authorized party; obtains multiple sub-keys uploaded by the authorized party; performs multiple sub-keys through a preset algorithm Splice to obtain the second key; match the second key with the first key, and when the matching is successful, the authorization data packet is decrypted and authorized to the authorized party.
  • the device where the storage medium is located is controlled to perform the following steps: before obtaining the authorization data package uploaded by the primary authorizer among the multiple authorizers in response to the authorization request, generate the first key in response to the authorization request ;
  • the first key includes a plurality of sub-keys, the sub-key is a hash value obtained through a hash operation of the identity information of an authorized party; each sub-key in the first key is associated with the identity of the corresponding authorized party United.
  • the device where the storage medium is located is controlled to perform the following steps: the hash operation includes any one of the information-digest algorithm 5, the information-digest algorithm 4, and the standard algorithm for secure messy information.
  • controlling the device where the storage medium is located to execute the splicing of multiple subkeys using a preset algorithm to obtain the second key includes the following steps: determining the number of subkeys uploaded by the authorized party and the first key Whether the number of sub-keys in is the same; if they are the same, the uploaded sub-keys are spliced according to the identifier of the authorized party to obtain the second key.
  • the device where the storage medium is located is controlled to perform the following steps: before obtaining multiple sub-keys uploaded by the authorized party, use the public key of the authorized party to pair the first key corresponding to the authorized party The sub-keys of, are re-encrypted one by one; the first key after the second encryption is sent to each authorized party, where the authorized party sends the sub-key that can be decrypted with the private key to the authorized party, and the private key is The public key is a pair of keys of the authorized party.
  • Fig. 3 is a schematic diagram of a computer device provided by an embodiment of the present application.
  • the computer device 100 of this embodiment includes a processor 101, a memory 102, and a computer program 103 that is stored in the memory 102 and can run on the processor 101.
  • the computer program 103 is executed by the processor 101, To implement the multi-party authorization method based on blockchain technology in the embodiment, in order to avoid repetition, it will not be repeated here.
  • the computer program is executed by the processor 101, the function of each model/unit in the multi-party authorization device based on the blockchain technology in the embodiment is realized. To avoid repetition, it will not be repeated here.
  • the computer device 100 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the computer device may include, but is not limited to, a processor 101 and a memory 102.
  • FIG. 3 is only an example of the computer device 100 and does not constitute a limitation on the computer device 100.
  • the so-called processor 101 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory 102 may be an internal storage unit of the computer device 100, such as a hard disk or memory of the computer device 100.
  • the memory 102 may also be an external storage device of the computer device 100, such as a plug-in hard disk equipped on the computer device 100, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, and a flash memory card (Flash). Card) and so on.
  • the memory 102 may also include both an internal storage unit of the computer device 100 and an external storage device.
  • the memory 102 is used to store computer programs and other programs and data required by the computer equipment.
  • the memory 102 can also be used to temporarily store data that has been output or will be output.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined Or it can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the above-mentioned integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium.
  • the above-mentioned software functional unit is stored in a storage medium and includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (Processor) execute the method described in each embodiment of the present application Part of the steps.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to the technical field of blockchain technology, and provided in embodiments of the present application are a blockchain technology-based multi-party authorization method and device. The method comprises: obtaining an authorization request uploaded by an authorized party, wherein the authorization request is associated with a plurality of authorizing parties; in response to the authorization request, obtaining an authorization data package uploaded by a main authorizing party among the plurality of authorizing parties, the uploaded authorization data package utilizing a first key for encryption, the first key comprising a plurality of sub-keys, and each sub-key corresponding to an authorizing party; obtaining a plurality of sub-keys uploaded by the authorized party; splicing the plurality of sub-keys by means of a preset algorithm to obtain a second key; and matching the second key with the first key; and when matching is successful, decrypting the authorization data package and authorizing same to the authorized party. The technical solution provided in the embodiments of the present application may solve the problem in the prior art which relates to data security of multi-party authorization being low.

Description

一种基于区块链技术的多方授权方法及装置A multi-party authorization method and device based on blockchain technology
本申请要求于2019年05月07日提交中国专利局、申请号为201910374338.6、申请名称为“一种基于区块链技术的多方授权方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on May 07, 2019, the application number is 201910374338.6, and the application name is "a method and device for multi-party authorization based on blockchain technology", all of which are approved The reference is incorporated in this application.
【技术领域】【Technical Field】
本申请涉及区块链技术领域,尤其涉及一种基于区块链技术的多方授权方法及装置。This application relates to the field of blockchain technology, in particular to a multi-party authorization method and device based on blockchain technology.
【背景技术】【Background technique】
目前,区块链上数据的授权通常都是一对一的进行的,然而在个别需求中,需要多个节点全部完成对某一节点的授权才算授权成功,这个时候一对一授权的方案则无法满足需要,因此如何保障多方授权情形下数据的安全性成为目前亟待解决的问题。At present, the authorization of data on the blockchain is usually one-to-one. However, in individual needs, multiple nodes are required to complete the authorization of a node before the authorization is successful. At this time, the one-to-one authorization scheme It cannot meet the needs. Therefore, how to ensure the security of data in the multi-party authorization situation has become an urgent problem to be solved.
【申请内容】【Content of Application】
有鉴于此,本申请实施例提供了一种基于区块链技术的多方授权方法及装置,用以解决现有技术中涉及多方授权的数据安全性低的问题。In view of this, the embodiments of the present application provide a multi-party authorization method and device based on blockchain technology to solve the problem of low data security related to multi-party authorization in the prior art.
为了实现上述目的,根据本申请的一个方面,提供了一种基于区块链技术的多方授权方法,所述方法包括:In order to achieve the above objective, according to one aspect of the present application, a multi-party authorization method based on blockchain technology is provided, and the method includes:
获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理, 所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;获取所述被授权方上传的多个所述子密钥;通过预设算法将多个所述子密钥进行拼接,得到第二密钥;将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。Acquiring an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorizing parties; in response to the authorization request, acquiring the authorization data package uploaded by a primary authorizer among the multiple authorized parties, Wherein, the uploaded authorization data package is encrypted using a first key, and the first key includes a plurality of sub-keys, and each of the sub-keys corresponds to one of the authorized parties; obtaining the A plurality of said subkeys uploaded by an authorized party; a plurality of said subkeys are spliced by a preset algorithm to obtain a second key; the second key is matched with the first key, When the matching is successful, the authorized data packet is decrypted and authorized to the authorized party.
为了实现上述目的,根据本申请的一个方面,提供了一种基于区块链技术的多方授权装置,所述装置包括第一获取单元,用于获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;第二获取单元,用于响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理,所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;第三获取单元,用于获取所述被授权方上传的多个所述子密钥;拼接单元,用于通过预设算法将多个所述子密钥进行拼接,得到第二密钥;匹配单元,用于将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。In order to achieve the above object, according to one aspect of the present application, a multi-party authorization device based on blockchain technology is provided. The device includes a first obtaining unit for obtaining an authorization request uploaded by an authorized party, wherein the The authorization request is associated with multiple authorized parties; the second obtaining unit is configured to, in response to the authorization request, obtain the authorization data package uploaded by the primary authorized party among the multiple authorized parties, wherein the uploaded The authorization data packet is encrypted using a first key, and the first key includes a plurality of subkeys, and each of the subkeys corresponds to one of the authorized parties; the third obtaining unit is configured to obtain the A plurality of said sub-keys uploaded by the authorized party; a splicing unit for splicing a plurality of said sub-keys by a preset algorithm to obtain a second key; a matching unit for combining the second secret The key is matched with the first key, and when the match is successful, the authorized data packet is decrypted and authorized to the authorized party.
为了实现上述目的,根据本申请的一个方面,提供了一种计算机非易失性存储介质,所述存储介质包括存储的程序,在所述程序运行时控制所述存储介质所在设备执行上述的基于区块链技术的多方授权方法。In order to achieve the foregoing objective, according to one aspect of the present application, a computer non-volatile storage medium is provided. The storage medium includes a stored program. When the program is running, the device where the storage medium is located is controlled to execute the foregoing Multi-party authorization method of blockchain technology.
为了实现上述目的,根据本申请的一个方面,提供了一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述的基于区块链技术的多方授权方法的步骤。In order to achieve the above objective, according to one aspect of the application, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes all The computer program implements the steps of the above-mentioned multi-party authorization method based on blockchain technology.
在本方案中,通过将密钥拆分得到的多个子密钥,并通过子密钥的管理者(即授权方)分别发送给被授权方,当所有的子密钥拼接出的第二密钥能够解开由第一密钥加密的数据包时,被授权方才能获取数据, 从而提高区块链中数据的安全性。In this solution, multiple sub-keys obtained by splitting the keys are sent to the authorized party through the sub-key manager (that is, the authorized party). When all the sub-keys are spliced together, the second key Only when the key can unlock the data packet encrypted by the first key can the authorized party obtain the data, thereby improving the security of the data in the blockchain.
【附图说明】【Explanation of drawings】
为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the following will briefly introduce the drawings needed in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, without creative labor, other drawings can be obtained from these drawings.
图1是本申请实施例提供的一种可选的基于区块链技术的多方授权方法的流程图;Fig. 1 is a flowchart of an optional multi-party authorization method based on blockchain technology provided by an embodiment of the present application;
图2是本申请实施例提供的一种可选的基于区块链技术的多方授权装置的示意图;2 is a schematic diagram of an optional multi-party authorization device based on blockchain technology provided by an embodiment of the present application;
图3是本申请实施例提供的一种可选的计算机设备的示意图。Fig. 3 is a schematic diagram of an optional computer device provided by an embodiment of the present application.
【具体实施方式】【Detailed ways】
为了更好的理解本申请的技术方案,下面结合附图对本申请实施例进行详细描述。In order to better understand the technical solutions of the present application, the following describes the embodiments of the present application in detail with reference to the accompanying drawings.
应当明确,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。It should be clear that the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
在本申请实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。The terms used in the embodiments of the present application are only for the purpose of describing specific embodiments, and are not intended to limit the present application. The singular forms of "a", "said" and "the" used in the embodiments of the present application and the appended claims are also intended to include plural forms, unless the context clearly indicates other meanings.
应当理解,本文中使用的术语“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" used in this article is only an association relationship describing associated objects, which means that there can be three relationships. For example, A and/or B can mean that there is A alone, and both A and B, there are three cases of B alone. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
应当理解,尽管在本申请实施例中可能采用术语第一、第二、第三等来描述终端,但这些终端不应限于这些术语。这些术语仅用来将终端彼此区分开。例如,在不脱离本申请实施例范围的情况下,第一获取单元也可以被称为第二获取单元,类似地,第二获取单元也可以被称为第一获取单元。It should be understood that although the terms first, second, third, etc. may be used to describe terminals in the embodiments of the present application, these terminals should not be limited to these terms. These terms are only used to distinguish terminals from each other. For example, without departing from the scope of the embodiments of the present application, the first obtaining unit may also be referred to as the second obtaining unit, and similarly, the second obtaining unit may also be referred to as the first obtaining unit.
取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。类似地,取决于语境,短语“如果确定”或“如果检测(陈述的条件或事件)”可以被解释成为“当确定时”或“响应于确定”或“当检测(陈述的条件或事件)时”或“响应于检测(陈述的条件或事件)”。Depending on the context, the word "if" as used herein can be interpreted as "when" or "when" or "in response to determination" or "in response to detection". Similarly, depending on the context, the phrase "if determined" or "if detected (statement or event)" can be interpreted as "when determined" or "in response to determination" or "when detected (statement or event) )" or "in response to detection (statement or event)".
图1是根据本申请实施例的一种基于区块链技术的多方授权方法的流程图,如图1所示,该方法包括:Fig. 1 is a flowchart of a multi-party authorization method based on blockchain technology according to an embodiment of the present application. As shown in Fig. 1, the method includes:
步骤S101,获取被授权方上传的授权请求,其中,授权请求与多个授权方相关联。Step S101: Obtain an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties.
步骤S102,响应于授权请求,获取多个授权方中的主授权方上传的授权数据包,其中,上传的授权数据包利用第一密钥进行加密处理,第一密钥包括多个子密钥,每个子密钥与一个授权方相对应。Step S102, in response to the authorization request, obtain the authorization data package uploaded by the main authorizer among the multiple authorization parties, where the uploaded authorization data package is encrypted using a first key, and the first key includes multiple subkeys, Each subkey corresponds to an authorized party.
步骤S103,获取被授权方上传的多个子密钥。Step S103: Obtain multiple subkeys uploaded by the authorized party.
步骤S104,通过预设算法将多个子密钥进行拼接,得到第二密钥。In step S104, a plurality of sub-keys are spliced by a preset algorithm to obtain a second key.
步骤S105,将第二密钥与第一密钥进行匹配,当匹配成功,授权数据 包解密并授权给被授权方。In step S105, the second key is matched with the first key. When the matching is successful, the authorization data packet is decrypted and authorized to the authorized party.
在本方案中,通过将密钥拆分得到的多个子密钥,并通过子密钥的管理者(即授权方)分别发送给被授权方,当所有的子密钥拼接出的第二密钥能够解开由第一密钥加密的数据包时,被授权方才能获取数据,从而提高区块链中数据的安全性。In this solution, multiple sub-keys obtained by splitting the keys are sent to the authorized party through the sub-key manager (that is, the authorized party). When all the sub-keys are spliced together, the second key When the key can unlock the data packet encrypted by the first key, the authorized party can obtain the data, thereby improving the security of the data in the blockchain.
可以理解地,多个子密钥中如果缺少某一授权方的子密钥或某一子密钥不正确,都将无法还原出与第一密钥相匹配的第二密钥。例如某一个合同文件的调用需要多个审批员进行授权,在合同文件的主保管人授权后,其余审批员需要将自己的子密钥一一授权给调用方,调用方在集齐子密钥后,才能打开被调用的合同文件。Understandably, if a certain authorized party's subkey is missing or a certain subkey is incorrect among the multiple subkeys, the second key that matches the first key cannot be restored. For example, the call of a certain contract document requires multiple approvers to authorize. After the main custodian of the contract document is authorized, the remaining approvers need to authorize their subkeys to the caller one by one. After the caller collects the subkeys, Only then can the called contract file be opened.
可选地,在响应于授权请求,获取多个授权方中的主授权方上传的授权数据包之前,方法包括:响应于授权请求,生成第一密钥;第一密钥包括多个子密钥,子密钥为一个授权方的身份信息通过哈希运算得到的哈希值;将第一密钥中的每个子密钥用对应一个授权方的标识进行标注。在本实施例中,授权方的身份信息可以是授权方的名字、ID标识、邮箱等与授权方绑定的唯一身份信息。Optionally, before obtaining the authorization data package uploaded by the main authorizer among the multiple authorizers in response to the authorization request, the method includes: in response to the authorization request, generating a first key; the first key includes a plurality of subkeys , The subkey is a hash value obtained by hashing the identity information of an authorized party; each subkey in the first key is marked with an identifier corresponding to an authorized party. In this embodiment, the authorizing party's identity information may be the authorizing party's name, ID identification, mailbox, and other unique identity information bound to the authorizing party.
哈希,也叫散列,就是把任意长度的输入,通过散列算法变成固定长度的输出,输出的就是散列值。根据哈希运算结果长度的不同可以将哈希运算划分为多种,例如16位的哈希运算、32位的哈希运算、128位的哈希运算。在本实施例中,每个子密钥为32位的哈希值,例如第一密钥为128位的哈希序列,分为1~32位的第一子密钥、33~64位的第二子密钥、65~96位的第三子密钥、97~128位的第四子密钥。Hashing, also called hashing, is to transform an input of any length into a fixed-length output through a hashing algorithm, and the output is the hash value. According to the length of the hash operation result, the hash operation can be divided into multiple types, such as 16-bit hash operation, 32-bit hash operation, and 128-bit hash operation. In this embodiment, each subkey is a 32-bit hash value. For example, the first key is a 128-bit hash sequence, which is divided into a first subkey of 1 to 32 bits and a first subkey of 33 to 64 bits. Two subkeys, a third subkey of 65 to 96 bits, and a fourth subkey of 97 to 128 bits.
在其他实施方式中,子密钥包括共有哈希值及私有哈希值。例如:子密钥为32位哈希值,其中前16位的哈希值为共有哈希值,后16位哈希值为 各个授权方的身份信息通过哈希运算得到的私有哈希值。所述共享哈希值为授权数据包的身份信息通过哈希运算得到的哈希值。例如,待授权的合同的编号,或者待授权的文件的名称。通过设置共有哈希值,使得后期在解密后,能够与待授权数据进行一致性匹配,避免授权数据出现掉包或者授权错误的情况。In other embodiments, the subkey includes a shared hash value and a private hash value. For example, the subkey is a 32-bit hash value, where the first 16 bits of the hash value are the shared hash value, and the last 16 bits of the hash value are the private hash value obtained by hashing the identity information of each authorized party. The shared hash value is a hash value obtained by hashing the identity information of the authorization data packet. For example, the number of the contract to be authorized, or the name of the document to be authorized. By setting the shared hash value, after decryption, it can be consistent with the data to be authorized to avoid packet loss or authorization errors in the authorized data.
可选地,哈希运算包括消息摘要算法、安全杂乱信息标准算法中的任意一种,均具有较好的压缩性、抗碰撞性和抗修改性,且计算简便。可以理解,由于哈希运算具备不可逆的特点,即通过哈希序列,无法恢复得到原本运算前的字符串。因此,第三方无法获取授权数据包的多个授权方的身份信息,不能通过私下授权,盗用授权数据包,从而保护了授权数据包的安全性。Optionally, the hash operation includes any one of a message digest algorithm and a standard algorithm for secure messy information, all of which have good compressibility, collision resistance, and modification resistance, and are easy to calculate. It can be understood that because the hash operation has the irreversible feature, that is, the original string before the operation cannot be recovered through the hash sequence. Therefore, the third party cannot obtain the identity information of multiple authorized parties of the authorized data package, and cannot steal the authorized data package through private authorization, thereby protecting the security of the authorized data package.
可选地,通过预设算法将多个子密钥进行拼接,得到第二密钥的方法,包括:Optionally, the method of concatenating multiple subkeys to obtain the second key by using a preset algorithm includes:
确定被授权方上传的子密钥的数量与第一密钥中的子密钥的数量是否相同;如果相同,根据授权方的标识将上传的子密钥进行拼接,得到第二密钥。It is determined whether the number of subkeys uploaded by the authorized party is the same as the number of subkeys in the first key; if they are the same, the uploaded subkeys are spliced according to the identifier of the authorized party to obtain the second key.
在本实施例中,被授权方上传的子密钥设有标识,根据这个标识将子密钥与第一密钥中具有相同标识的子密钥进行匹配。例如,第一密钥的完整序列为A(第一子密钥)+B(第二子密钥)+C(第三子密钥)+D(第四子密钥),那么根据子密钥的标识的排列顺序将子密钥进行拼接,如果,缺少C,那么拼接不出完整的哈希序列,如果排列顺序不一致,第一密钥和第二密钥也不能匹配成功。子密钥匹配过程中,A(第一子密钥)与第一密钥的完整序列中的A部分的序列进行匹配,若匹配成功,则表示该授权方的授权成功。当A、B、C、D四个授权方的子密钥均匹配成功时,授权数据包才 能解密授权成功。In this embodiment, the subkey uploaded by the authorized party is provided with an identifier, and the subkey is matched with the subkey with the same identifier in the first key according to this identifier. For example, the complete sequence of the first key is A (first subkey) + B (second subkey) + C (third subkey) + D (fourth subkey), then according to the subkey The sequence of the key identifiers is to splice the sub-keys. If C is missing, then the complete hash sequence cannot be spliced. If the sequence is inconsistent, the first key and the second key cannot be matched successfully. During the sub-key matching process, A (first sub-key) matches the sequence of part A in the complete sequence of the first key. If the matching is successful, it means that the authorization of the authorized party is successful. When the subkeys of the four authorized parties of A, B, C, and D are all matched successfully, the authorization data packet can be decrypted and authorized successfully.
可选地,在获取被授权方上传的多个子密钥之前,方法还包括:Optionally, before obtaining multiple subkeys uploaded by the authorized party, the method further includes:
利用授权方的公钥对第一密钥中与授权方相对应的子密钥一一进行二次加密;将二次加密后的第一密钥发送给各个授权方,其中,授权方将能够用私钥解密的子密钥发送给被授权方,私钥与公钥为授权方的一对非对称密钥。可以理解地,系统在将第一密钥中的子密钥进行分发时,将待分配的子密钥用接收方的公钥来进行加密处理,那么这个子密钥即使被其他的节点获取也不能打开这个子密钥,获得正确的哈希序列。只有拥有与公钥配对的私钥的一方才能解密子密钥,得到正确的哈希序列。Use the public key of the authorizing party to encrypt the subkeys corresponding to the authorizing party in the first key one by one; send the second encrypted first key to each authorizing party, where the authorizing party will be able to The subkey decrypted with the private key is sent to the authorized party, and the private key and the public key are a pair of asymmetric keys of the authorized party. Understandably, when the system distributes the sub-key in the first key, the sub-key to be distributed is encrypted with the public key of the recipient, so even if the sub-key is acquired by other nodes This subkey cannot be opened to obtain the correct hash sequence. Only the party who owns the private key paired with the public key can decrypt the subkey and obtain the correct hash sequence.
在一种实施方式中,第一密钥的多个子密钥分别通过对应的公钥加密后,可以加密后的完整的第一密钥发给每个授权方,也可以将第一密钥中与授权方标识关联的子密钥单独发给授权方。可以理解地,上述子密钥分配方式,授权方都只能利用私钥解密其中一个子密钥,从而进一步保障授权数据包的安全性。In an embodiment, after the multiple subkeys of the first key are respectively encrypted by corresponding public keys, the encrypted complete first key can be sent to each authorized party, or the first key can be The subkey associated with the authorizing party ID is sent to the authorizing party separately. Understandably, in the above-mentioned sub-key distribution method, the authorized party can only use the private key to decrypt one of the sub-keys, thereby further ensuring the security of the authorized data package.
可选地,在响应于授权请求,获取多个授权方中的主授权方上传的授权数据包之前,方法还包括:响应于授权请求,生成第一密钥K 1,第一密钥K 1用于对主授权方上传的授权数据包进行加密处理;任取n个随机数a 0,…,a n-1,并构造线性多项式a(x)=a 0+a 1x+a 2x 2+…+a n-1x n-1,其中a 0=K 1,x取值[1,n+1],且x、n皆为大于等于1的整数;随机取一个素数p,p>K 1,令取余函数f(x)=a(x)mod(p),并将x依次带入所述预设函数得到f(x 1),…,f(x n+1);将子密钥(x 1,f(x 1)),…,子密钥(x n+1,f(x n+1))分配给n+1个所述授权方。 Optionally, before obtaining the authorization data package uploaded by the main authorizer among the multiple authorizers in response to the authorization request, the method further includes: in response to the authorization request, generating the first key K 1 , and the first key K 1 Used to encrypt the authorization data package uploaded by the main authorizer; take n random numbers a 0 ,..., a n-1 , and construct a linear polynomial a(x) = a 0 + a 1 x + a 2 x 2 +…+a n-1 x n-1 , where a 0 =K 1 , x takes the value [1,n+1], and x and n are integers greater than or equal to 1; randomly select a prime number p, p > K 1 , let the remainder function f(x)=a(x)mod(p), and sequentially bring x into the preset function to obtain f(x 1 ),..., f(x n+1 ); The sub-keys (x 1 , f(x 1 )), ..., the sub-keys (x n+1 , f(x n+1 )) are distributed to n+1 authorized parties.
其中,取余函数是计算线性多项式的结果后对素数p的取余运算,每个子密钥可以通过x的具体取值计算得到。例如:x 1为1,x 2为2,x 3为 3,那么f(x 1)为(a 0+a 1)mod(p),f(x 2)为(a 0+2a 1)mod(p),f(x 3)为(a 0+3a 1+9a 2)mod(p)。 Among them, the remainder function is the remainder operation on the prime number p after calculating the result of the linear polynomial, and each subkey can be calculated by the specific value of x. For example: x 1 is 1, x 2 is 2, x 3 is 3, then f(x 1 ) is (a 0 +a 1 )mod(p), f(x 2 ) is (a 0 +2a 1 )mod (p), f(x 3 ) is (a 0 +3a 1 +9a 2 ) mod(p).
本实施方式中,采用随机数、素数和预设的运算方式,将第一密钥K 1自动生成所需数量个子密钥,生成的子密钥安全性高,难以被破解,从而保障授权数据包的安全性。 In this embodiment, random numbers, prime numbers, and preset calculation methods are used to automatically generate the required number of sub-keys for the first key K 1. The generated sub-keys are highly secure and difficult to be cracked, thereby guaranteeing authorized data Security of the package.
可选地,通过预设算法将多个子密钥进行拼接,得到第二密钥的方法,包括:利用拉格朗日插值公式将多个子密钥恢复,得到第二密钥。Optionally, the method of splicing multiple sub-keys through a preset algorithm to obtain the second key includes: recovering the multiple sub-keys by using a Lagrangian interpolation formula to obtain the second key.
本申请实施例提供了一种基于区块链技术的多方授权装置,该装置用于执行上述基于区块链技术的多方授权法,如图2所示,该装置包括:第一获取单元10、第二获取单元20、第三获取单元30、拼接单元40、匹配单元50。The embodiment of the application provides a multi-party authorization device based on blockchain technology. The device is used to execute the above-mentioned multi-party authorization method based on blockchain technology. As shown in FIG. 2, the device includes: a first obtaining unit 10, The second acquiring unit 20, the third acquiring unit 30, the splicing unit 40, and the matching unit 50.
第一获取单元10,用于获取被授权方上传的授权请求,其中,授权请求与多个授权方相关联;The first obtaining unit 10 is configured to obtain an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties;
第二获取单元20,用于响应于授权请求,获取多个授权方中的主授权方上传的授权数据包,其中,上传的授权数据包利用第一密钥进行加密处理,第一密钥包括多个子密钥,每个子密钥与一个授权方相对应;The second acquiring unit 20 is configured to, in response to the authorization request, acquire the authorization data package uploaded by the main authorizer among the multiple authorization parties, where the uploaded authorization data package is encrypted using a first key, and the first key includes Multiple sub-keys, each sub-key corresponds to an authorized party;
第三获取单元30,用于获取被授权方上传的多个子密钥;The third obtaining unit 30 is configured to obtain multiple subkeys uploaded by the authorized party;
拼接单元40,用于通过预设算法将多个子密钥进行拼接,得到第二密钥;The splicing unit 40 is used for splicing multiple sub-keys using a preset algorithm to obtain a second key;
匹配单元50,用于将第二密钥与第一密钥进行匹配,当匹配成功,授权数据包解密并授权给被授权方。The matching unit 50 is configured to match the second key with the first key. When the matching is successful, the data packet is authorized to be decrypted and authorized to the authorized party.
在本方案中,通过将密钥拆分得到的多个子密钥,并通过子密钥的管理者(即授权方)分别发送给被授权方,当所有的子密钥拼接出的第 二密钥能够解开由第一密钥加密的数据包时,被授权方才能获取数据,从而提高区块链中数据的安全性。In this solution, multiple sub-keys obtained by splitting the keys are sent to the authorized party through the sub-key manager (that is, the authorized party). When all the sub-keys are spliced together, the second key When the key can unlock the data packet encrypted by the first key, the authorized party can obtain the data, thereby improving the security of the data in the blockchain.
可以理解地,多个子密钥中如果缺少某一授权方的子密钥或某一子密钥不正确,都将无法还原出与第一密钥相匹配的第二密钥。例如某一个合同文件的调用需要多个审批员进行授权,在合同文件的主保管人授权后,其余审批员需要将自己的子密钥一一授权给调用方,调用方在集齐子密钥后,才能打开被调用的合同文件。Understandably, if a certain authorized party's subkey is missing or a certain subkey is incorrect among the multiple subkeys, the second key that matches the first key cannot be restored. For example, the call of a certain contract document requires multiple approvers to authorize. After the main custodian of the contract document is authorized, the remaining approvers need to authorize their subkeys to the caller one by one. After the caller collects the subkeys, Only then can the called contract file be opened.
可选地,装置还包括:第一生成单元、标注单元。Optionally, the device further includes: a first generating unit and a labeling unit.
第一生成单元,用于在获取多个授权方中的主授权方上传的授权数据包之前,响应于授权请求,生成第一密钥,第一密钥包括多个子密钥,子密钥为一个授权方的身份信息通过哈希运算得到的哈希值;标注单元,用于将第一密钥中的每个子密钥用对应一个授权方的标识进行标注。在本实施例中,授权方的身份信息可以是授权方的名字、ID标识、邮箱等与授权方绑定的唯一身份信息。The first generating unit is configured to generate a first key in response to the authorization request before obtaining the authorization data package uploaded by the main authorizer among the multiple authorized parties. The first key includes multiple sub-keys, and the sub-keys are A hash value obtained by hashing the identity information of an authorizing party; the labeling unit is used to label each subkey in the first key with an identity of the authorizing party. In this embodiment, the authorizing party's identity information may be the authorizing party's name, ID identification, mailbox, and other unique identity information bound to the authorizing party.
哈希,也叫散列,就是把任意长度的输入,通过散列算法变成固定长度的输出,输出的就是散列值。根据哈希运算结果长度的不同可以将哈希运算划分为多种,例如16位的哈希运算、32位的哈希运算、128位的哈希运算。在本实施例中,每个子密钥为32位的哈希值,例如第一密钥为128位的哈希序列,分为1~32位的第一子密钥、33~64位的第二子密钥、65~96位的第三子密钥、97~128位的第四子密钥。Hashing, also called hashing, is to transform an input of any length into a fixed-length output through a hashing algorithm, and the output is the hash value. According to the length of the hash operation result, the hash operation can be divided into multiple types, such as 16-bit hash operation, 32-bit hash operation, and 128-bit hash operation. In this embodiment, each subkey is a 32-bit hash value. For example, the first key is a 128-bit hash sequence, which is divided into a first subkey of 1 to 32 bits and a first subkey of 33 to 64 bits. Two subkeys, a third subkey of 65 to 96 bits, and a fourth subkey of 97 to 128 bits.
在其他实施方式中,子密钥包括共有哈希值及私有哈希值。例如:子密钥为32位哈希值,其中前16位的哈希值为共有哈希值,后16位哈希值为各个授权方的身份信息通过哈希运算得到的私有哈希值。所述共享哈希值为授权数据包的身份信息通过哈希运算得到的哈希值。例如,待授权的合 同的编号,或者待授权的文件的名称。通过设置共有哈希值,使得后期在解密后,能够与待授权数据进行一致性匹配,避免授权数据出现掉包或者授权错误的情况。In other embodiments, the subkey includes a shared hash value and a private hash value. For example, the subkey is a 32-bit hash value, where the first 16-bit hash value is a shared hash value, and the last 16-bit hash value is a private hash value obtained by hashing the identity information of each authorized party. The shared hash value is a hash value obtained by hashing the identity information of the authorization data packet. For example, the number of the contract to be authorized, or the name of the document to be authorized. By setting the shared hash value, after decryption, it can be consistent with the data to be authorized to avoid packet loss or authorization errors in the authorized data.
可选地,哈希运算包括信息-摘要算法5、信息-摘要算法4、安全杂乱信息标准算法中的任意一种,均具有较好的压缩性、抗碰撞性和抗修改性,且计算简便。可以理解,由于哈希运算具备不可逆的特点,即通过哈希序列,无法恢复得到原本运算前的字符串。因此,第三方无法获取授权数据包的多个授权方的身份信息,不能通过私下授权,盗用授权数据包,从而保护了授权数据包的安全性。Optionally, the hash operation includes any of the information-digest algorithm 5, the information-digest algorithm 4, and the standard algorithm for secure messy information, all of which have good compressibility, collision resistance, and modification resistance, and are easy to calculate . It can be understood that because the hash operation has the irreversible feature, that is, the original string before the operation cannot be recovered through the hash sequence. Therefore, the third party cannot obtain the identity information of multiple authorized parties of the authorized data package, and cannot steal the authorized data package through private authorization, thereby protecting the security of the authorized data package.
可选地,拼接单元40包括确定子单元、匹配子单元。Optionally, the splicing unit 40 includes a determining subunit and a matching subunit.
确定子单元,用于确定被授权方上传的子密钥的数量与第一密钥中的子密钥的数量是否相同;匹配子单元,用于如果相同,根据授权方的标识将上传的子密钥进行拼接,得到第二密钥。The determining sub-unit is used to determine whether the number of sub-keys uploaded by the authorized party is the same as the number of sub-keys in the first key; the matching sub-unit is used to upload the sub-keys according to the identifier of the authorized party if they are the same. The keys are spliced to obtain the second key.
在本实施例中,被授权方上传的子密钥设有标识,根据这个标识将子密钥与第一密钥中具有相同标识的子密钥进行匹配。例如,第一密钥的完整序列为A(第一子密钥)+B(第二子密钥)+C(第三子密钥)+D(第四子密钥),那么根据子密钥的标识的排列顺序将子密钥进行拼接,如果,缺少C,那么拼接不出完整的哈希序列,如果排列顺序不一致,第一密钥和第二密钥也不能匹配成功。子密钥匹配过程中,A(第一子密钥)与第一密钥的完整序列中的A部分的序列进行匹配,若匹配成功,则表示该授权方的授权成功。当A、B、C、D四个授权方的子密钥均匹配成功时,授权数据包才能解密授权成功。In this embodiment, the subkey uploaded by the authorized party is provided with an identifier, and the subkey is matched with the subkey with the same identifier in the first key according to this identifier. For example, the complete sequence of the first key is A (first subkey) + B (second subkey) + C (third subkey) + D (fourth subkey), then according to the subkey The sequence of the key identifiers is to splice the sub-keys. If C is missing, then the complete hash sequence cannot be spliced. If the sequence is inconsistent, the first key and the second key cannot be matched successfully. During the sub-key matching process, A (first sub-key) matches the sequence of part A in the complete sequence of the first key. If the matching is successful, it means that the authorization of the authorized party is successful. When the subkeys of the four authorized parties of A, B, C, and D are all matched successfully, the authorization data packet can be decrypted and authorized successfully.
可选地,装置还包括加密单元、发送单元。Optionally, the device further includes an encryption unit and a sending unit.
加密单元,用于在获取被授权方上传的多个子密钥之前,利用授权方 的公钥对第一密钥中与授权方相对应的子密钥一一进行二次加密;发送单元,用于将二次加密后的第一密钥发送给各个授权方,其中,授权方将能够用私钥解密的子密钥发送给被授权方,私钥与公钥为授权方的一对非对称密钥。The encryption unit is used to use the public key of the authorized party to perform secondary encryption on the sub-keys corresponding to the authorized party in the first key one by one before obtaining the multiple sub-keys uploaded by the authorized party; the sending unit uses Send the second encrypted first key to each authorized party, where the authorized party sends the sub-key that can be decrypted with the private key to the authorized party, and the private key and public key are a pair of asymmetrical Key.
可以理解地,系统在将第一密钥中的子密钥进行分发时,将待分配的子密钥用接收方的公钥来进行加密处理,那么这个子密钥即使被其他的节点获取也不能打开这个子密钥,获得正确的哈希序列。只有拥有与公钥配对的私钥的一方才能解密子密钥,得到正确的哈希序列。Understandably, when the system distributes the sub-key in the first key, the sub-key to be distributed is encrypted with the public key of the recipient, so even if the sub-key is acquired by other nodes This subkey cannot be opened to obtain the correct hash sequence. Only the party who owns the private key paired with the public key can decrypt the subkey and obtain the correct hash sequence.
在一种实施方式中,第一密钥的多个子密钥分别通过对应的公钥加密后,可以加密后的完整的第一密钥发给每个授权方,也可以将第一密钥中与授权方标识关联的子密钥单独发给授权方。可以理解地,上述子密钥分配方式,授权方都只能利用私钥解密其中一个子密钥,从而进一步保障授权数据包的安全性。In an embodiment, after the multiple subkeys of the first key are respectively encrypted by corresponding public keys, the encrypted complete first key can be sent to each authorized party, or the first key can be The subkey associated with the authorizing party ID is sent to the authorizing party separately. Understandably, in the above-mentioned sub-key distribution method, the authorized party can only use the private key to decrypt one of the sub-keys, thereby further ensuring the security of the authorized data package.
可选地,装置还包括第二生成单元、构造单元、设置单元、分配单元。Optionally, the device further includes a second generating unit, a construction unit, a setting unit, and a distribution unit.
第二生成单元,用于响应于授权请求,生成第一密钥K 1,第一密钥K 1用于对主授权方上传的授权数据包进行加密处理;构造单元,用于任取n个随机数a 0,…,a n-1,并构造线性多项式a(x)=a 0+a 1x+a 2x 2+…+a n-1x n- 1,其中a 0=K 1,x取值[1,n+1],n为大于1的整数;设置单元,用于随机取一个素数p,p>K 1,令取余函数f(x)=a(x)mod(p),并将x依次带入所述取余函数得到f(x 1),…,f(x n+1);分配单元,用于将子密钥(x 1,f(x 1)),…,子密钥(x n+1,f(x n+1))分配给n+1个所述授权方。 The second generating unit is used to generate the first key K 1 in response to the authorization request, the first key K 1 is used to encrypt the authorization data package uploaded by the main authorizer; the construction unit is used to take n Random numbers a 0 ,..., a n-1 , and construct a linear polynomial a(x)=a 0 +a 1 x+a 2 x 2 +...+a n-1 x n- 1 , where a 0 =K 1 , X takes the value [1,n+1], n is an integer greater than 1; the setting unit is used to randomly select a prime number p, p>K 1 , and let the remainder function f(x)=a(x)mod( p), and sequentially bring x into the remainder function to obtain f(x 1 ),..., f(x n+1 ); the distribution unit is used to transfer the subkey (x 1 , f(x 1 )) ,..., subkeys (x n+1 , f(x n+1 )) are allocated to n+1 authorized parties.
其中,取余函数是计算线性多项式的结果后对素数p的取余运算,每个子密钥可以通过x的具体取值计算得到。例如:x 1为1,x 2为2,x 3为3,那么f(x 1)为(a 0+a 1)mod(p),f(x 2)为(a 0+2a 1)mod(p),f(x 3) 为(a 0+3a 1+9a 2)mod(p)。 Among them, the remainder function is the remainder operation on the prime number p after calculating the result of the linear polynomial, and each subkey can be calculated by the specific value of x. For example: x 1 is 1, x 2 is 2, x 3 is 3, then f(x 1 ) is (a 0 +a 1 )mod(p), f(x 2 ) is (a 0 +2a 1 )mod (p), f(x 3 ) is (a 0 +3a 1 +9a 2 )mod(p).
本实施方式中,采用随机数、素数和预设的运算方式,将第一密钥K 1自动生成所需数量个子密钥,生成的子密钥安全性高,难以被破解,从而保障授权数据包的安全性。 In this embodiment, random numbers, prime numbers, and preset calculation methods are used to automatically generate the required number of sub-keys for the first key K 1. The generated sub-keys are highly secure and difficult to be cracked, thereby guaranteeing authorized data Security of the package.
可选地,通过预设算法将多个子密钥进行拼接,得到第二密钥的方法,包括:利用拉格朗日插值公式将多个子密钥恢复,得到第二密钥。Optionally, the method of splicing multiple sub-keys through a preset algorithm to obtain the second key includes: recovering the multiple sub-keys by using a Lagrangian interpolation formula to obtain the second key.
本申请实施例提供了一种计算机非易失性存储介质,存储介质包括存储的程序,其中,在程序运行时控制存储介质所在设备执行以下步骤:The embodiment of the present application provides a computer non-volatile storage medium, the storage medium includes a stored program, wherein the device where the storage medium is located is controlled to perform the following steps when the program runs:
获取被授权方上传的授权请求,其中,授权请求与多个授权方相关联;响应于授权请求,获取多个授权方中的主授权方上传的授权数据包,其中,上传的授权数据包利用第一密钥进行加密处理,第一密钥包括多个子密钥,每个子密钥与一个授权方相对应;获取被授权方上传的多个子密钥;通过预设算法将多个子密钥进行拼接,得到第二密钥;将第二密钥与第一密钥进行匹配,当匹配成功,授权数据包解密并授权给被授权方。Obtain the authorization request uploaded by the authorized party, where the authorization request is associated with multiple authorizers; in response to the authorization request, obtain the authorization data package uploaded by the main authorizer among the multiple authorized parties, where the uploaded authorization data package uses The first key performs encryption processing. The first key includes multiple sub-keys, and each sub-key corresponds to an authorized party; obtains multiple sub-keys uploaded by the authorized party; performs multiple sub-keys through a preset algorithm Splice to obtain the second key; match the second key with the first key, and when the matching is successful, the authorization data packet is decrypted and authorized to the authorized party.
可选地,在程序运行时控制存储介质所在设备执行以下步骤:在响应于授权请求,获取多个授权方中的主授权方上传的授权数据包之前,响应于授权请求,生成第一密钥;第一密钥包括多个子密钥,子密钥为一个授权方的身份信息通过哈希运算得到的哈希值;将第一密钥中的每个子密钥与对应一个授权方的标识相关联。Optionally, when the program is running, the device where the storage medium is located is controlled to perform the following steps: before obtaining the authorization data package uploaded by the primary authorizer among the multiple authorizers in response to the authorization request, generate the first key in response to the authorization request ; The first key includes a plurality of sub-keys, the sub-key is a hash value obtained through a hash operation of the identity information of an authorized party; each sub-key in the first key is associated with the identity of the corresponding authorized party United.
可选地,在程序运行时控制存储介质所在设备执行以下步骤:哈希运算包括信息-摘要算法5、信息-摘要算法4、安全杂乱信息标准算法中的任意一种。Optionally, when the program is running, the device where the storage medium is located is controlled to perform the following steps: the hash operation includes any one of the information-digest algorithm 5, the information-digest algorithm 4, and the standard algorithm for secure messy information.
可选地,在程序运行时控制存储介质所在设备执行通过预设算法将多 个子密钥进行拼接得到第二密钥包括以下步骤:确定被授权方上传的子密钥的数量与第一密钥中的子密钥的数量是否相同;如果相同,根据授权方的标识将上传的子密钥进行拼接,得到第二密钥。Optionally, when the program is running, controlling the device where the storage medium is located to execute the splicing of multiple subkeys using a preset algorithm to obtain the second key includes the following steps: determining the number of subkeys uploaded by the authorized party and the first key Whether the number of sub-keys in is the same; if they are the same, the uploaded sub-keys are spliced according to the identifier of the authorized party to obtain the second key.
可选地,在程序运行时控制存储介质所在设备执行以下步骤:在获取被授权方上传的多个所述子密钥之前,利用授权方的公钥对第一密钥中与授权方相对应的子密钥一一进行二次加密;将二次加密后的第一密钥发送给各个授权方,其中,授权方将能够用私钥解密的子密钥发送给被授权方,私钥与公钥为授权方的一对密钥。Optionally, when the program is running, the device where the storage medium is located is controlled to perform the following steps: before obtaining multiple sub-keys uploaded by the authorized party, use the public key of the authorized party to pair the first key corresponding to the authorized party The sub-keys of, are re-encrypted one by one; the first key after the second encryption is sent to each authorized party, where the authorized party sends the sub-key that can be decrypted with the private key to the authorized party, and the private key is The public key is a pair of keys of the authorized party.
图3是本申请实施例提供的一种计算机设备的示意图。如图3所示,该实施例的计算机设备100包括:处理器101、存储器102以及存储在存储器102中并可在处理器101上运行的计算机程序103,该计算机程序103被处理器101执行时实现实施例中的基于区块链技术的多方授权方法,为避免重复,此处不一一赘述。或者,该计算机程序被处理器101执行时实现实施例中基于区块链技术的多方授权装置中各模型/单元的功能,为避免重复,此处不一一赘述。Fig. 3 is a schematic diagram of a computer device provided by an embodiment of the present application. As shown in FIG. 3, the computer device 100 of this embodiment includes a processor 101, a memory 102, and a computer program 103 that is stored in the memory 102 and can run on the processor 101. When the computer program 103 is executed by the processor 101, To implement the multi-party authorization method based on blockchain technology in the embodiment, in order to avoid repetition, it will not be repeated here. Alternatively, when the computer program is executed by the processor 101, the function of each model/unit in the multi-party authorization device based on the blockchain technology in the embodiment is realized. To avoid repetition, it will not be repeated here.
计算机设备100可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。计算机设备可包括,但不仅限于,处理器101、存储器102。本领域技术人员可以理解,图3仅仅是计算机设备100的示例,并不构成对计算机设备100的限定。The computer device 100 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The computer device may include, but is not limited to, a processor 101 and a memory 102. Those skilled in the art can understand that FIG. 3 is only an example of the computer device 100 and does not constitute a limitation on the computer device 100.
所称处理器101可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他 可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The so-called processor 101 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
存储器102可以是计算机设备100的内部存储单元,例如计算机设备100的硬盘或内存。存储器102也可以是计算机设备100的外部存储设备,例如计算机设备100上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,存储器102还可以既包括计算机设备100的内部存储单元也包括外部存储设备。存储器102用于存储计算机程序以及计算机设备所需的其他程序和数据。存储器102还可以用于暂时地存储已经输出或者将要输出的数据。The memory 102 may be an internal storage unit of the computer device 100, such as a hard disk or memory of the computer device 100. The memory 102 may also be an external storage device of the computer device 100, such as a plug-in hard disk equipped on the computer device 100, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, and a flash memory card (Flash). Card) and so on. Further, the memory 102 may also include both an internal storage unit of the computer device 100 and an external storage device. The memory 102 is used to store computer programs and other programs and data required by the computer equipment. The memory 102 can also be used to temporarily store data that has been output or will be output.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined Or it can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包 括若干指令用以使得一台计算机装置(可以是个人计算机,服务器,或者网络装置等)或处理器(Processor)执行本申请各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The above-mentioned software functional unit is stored in a storage medium and includes several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (Processor) execute the method described in each embodiment of the present application Part of the steps. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .
以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above are only the preferred embodiments of this application and are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in this application Within the scope of protection.

Claims (20)

  1. 一种基于区块链技术的多方授权方法,其特征在于,所述方法包括:A multi-party authorization method based on blockchain technology, characterized in that the method includes:
    获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;Obtaining an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties;
    响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理,所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;In response to the authorization request, obtain the authorization data package uploaded by the primary authorizer among the multiple authorization parties, wherein the uploaded authorization data package is encrypted using a first key, and the first secret The key includes multiple sub-keys, and each of the sub-keys corresponds to one of the authorized parties;
    获取所述被授权方上传的多个所述子密钥;Acquiring a plurality of said subkeys uploaded by said authorized party;
    通过预设算法将多个所述子密钥进行拼接,得到第二密钥;Concatenate the multiple sub-keys by a preset algorithm to obtain a second key;
    将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。The second key is matched with the first key, and when the matching is successful, the authorized data packet is decrypted and authorized to the authorized party.
  2. 根据权利要求1所述的方法,其特征在于,在所述响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包之前,所述方法包括:The method according to claim 1, characterized in that, before the obtaining the authorization data package uploaded by the primary authorizer among the plurality of authorizers in response to the authorization request, the method comprises:
    响应于所述授权请求,生成所述第一密钥,所述第一密钥包括多个所述子密钥,所述子密钥为一个所述授权方的身份信息通过哈希运算得到的哈希值;In response to the authorization request, the first key is generated, the first key includes a plurality of the sub-keys, and the sub-key is obtained by hashing the identity information of the authorized party Hash value
    将所述第一密钥中的每个所述子密钥用对应一个所述授权方的标识进行标注。Each of the sub-keys in the first key is labeled with an identifier corresponding to the authorized party.
  3. 根据权利要求2所述的方法,其特征在于,所述哈希运算包括消息摘要算法、安全杂乱信息标准算法中的任意一种。The method according to claim 2, wherein the hash operation includes any one of a message digest algorithm and a standard algorithm for secure messy information.
  4. 根据权利要求2所述的方法,其特征在于,所述通过预设算法将多个所述子密钥进行拼接,得到第二密钥,包括:The method according to claim 2, wherein said concatenating a plurality of said sub-keys through a preset algorithm to obtain a second key comprises:
    确定所述被授权方上传的所述子密钥的数量与所述第一密钥中的子密钥的数量是否相同;Determining whether the number of subkeys uploaded by the authorized party is the same as the number of subkeys in the first key;
    如果相同,根据所述授权方的标识将上传的子密钥进行拼接,得到第二密钥。If they are the same, the uploaded subkeys are spliced according to the identifier of the authorized party to obtain the second key.
  5. 根据权利要求1所述的方法,其特征在于,在所述获取所述被授权方上传的多个所述子密钥之前,所述方法还包括:The method according to claim 1, wherein before said obtaining the plurality of said subkeys uploaded by said authorized party, said method further comprises:
    利用所述授权方的公钥对所述第一密钥中与所述授权方相对应的子密钥一一进行二次加密;Use the public key of the authorizing party to perform secondary encryption on the subkeys corresponding to the authorizing party in the first key one by one;
    将二次加密后的所述第一密钥发送给各个所述授权方,其中,所述授权方将 能够用私钥解密的子密钥发送给所述被授权方,所述私钥与所述公钥为所述授权方的一对非对称密钥。Send the re-encrypted first key to each of the authorized parties, where the authorized party sends the subkey that can be decrypted with the private key to the authorized party, and the private key is the same as the authorized party. The public key is a pair of asymmetric keys of the authorized party.
  6. 根据权利要求1所述的方法,其特征在于,在所述响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包之前,所述方法还包括:The method according to claim 1, characterized in that, before the obtaining the authorization data package uploaded by the primary authorizer among the plurality of authorizers in response to the authorization request, the method further comprises:
    响应于所述授权请求,生成所述第一密钥K1,所述第一密钥K1用于对所述主授权方上传的所述授权数据包进行加密处理;In response to the authorization request, generating the first key K1, where the first key K1 is used to encrypt the authorization data package uploaded by the primary authorizer;
    任取n个随机数a0,…,an-1,并构造线性多项式a(x)=a0+a1x+a2x2+…+an-1xn-1,其中a0=K1,x取值[1,n+1],且x、n皆为大于等于1的整数;Take n random numbers a0,...,an-1, and construct a linear polynomial a(x)=a0+a1x+a2x2+...+an-1xn-1, where a0=K1, x takes the value [1,n+1 ], and x and n are integers greater than or equal to 1;
    随机取一个素数p,p>K1,令取余函数f(x)=a(x)mod(p),并将x依次带入所述取余函数得到f(x1),…,f(xn+1);Randomly take a prime number p, p>K1, set the remainder function f(x)=a(x)mod(p), and bring x into the remainder function in turn to obtain f(x1),...,f(xn +1);
    将子密钥(x1,f(x1)),…,子密钥(xn+1,f(xn+1))分配给n+1个所述授权方。The subkeys (x1, f(x1)),..., the subkeys (xn+1, f(xn+1)) are distributed to n+1 authorized parties.
  7. 根据权利要求6所述的方法,其特征在于,所述通过预设算法将多个所述子密钥进行拼接,得到第二密钥的方法,包括:The method according to claim 6, wherein the method of concatenating a plurality of the sub-keys through a preset algorithm to obtain the second key comprises:
    利用拉格朗日插值公式将多个所述子密钥恢复,得到所述第二密钥。A Lagrangian interpolation formula is used to recover a plurality of the subkeys to obtain the second key.
  8. 一种基于区块链技术的多方授权装置,其特征在于,所述装置包括:A multi-party authorization device based on blockchain technology, characterized in that the device includes:
    第一获取单元,用于获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;The first obtaining unit is configured to obtain an authorization request uploaded by an authorized party, wherein the authorization request is associated with multiple authorized parties;
    第二获取单元,用于响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理,所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;The second acquiring unit is configured to, in response to the authorization request, acquire the authorization data package uploaded by the primary authorizer among the multiple authorization parties, wherein the uploaded authorization data package is encrypted with a first key Processing, the first key includes a plurality of subkeys, and each of the subkeys corresponds to one of the authorized parties;
    第三获取单元,用于获取所述被授权方上传的多个所述子密钥;The third obtaining unit is configured to obtain the multiple sub-keys uploaded by the authorized party;
    拼接单元,用于通过预设算法将多个所述子密钥进行拼接,得到第二密钥;A splicing unit, configured to splice a plurality of said sub-keys using a preset algorithm to obtain a second key;
    匹配单元,用于将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。The matching unit is configured to match the second key with the first key. When the matching is successful, the authorized data packet is decrypted and authorized to the authorized party.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括第一生成单元及标注单元;The device according to claim 8, wherein the device further comprises a first generating unit and a labeling unit;
    所述第一生成单元,用于在获取多个所述授权方中的主授权方上传的所述授权数据包之前,响应于所述授权请求,生成所述第一密钥,所述第一密钥包括多 个所述子密钥,所述子密钥为一个所述授权方的身份信息通过哈希运算得到的哈希值;The first generating unit is configured to generate the first key in response to the authorization request before obtaining the authorization data package uploaded by the main authorizer among the plurality of authorized parties, and the first key The key includes a plurality of the subkeys, and the subkey is a hash value obtained by a hash operation of the identity information of the authorized party;
    所述标注单元,用于将所述第一密钥中的每个所述子密钥用对应一个所述授权方的标识进行标注。The labeling unit is configured to label each of the subkeys in the first key with an identifier corresponding to one of the authorized parties.
  10. 根据权利要求9所述的装置,其特征在于,所述哈希运算包括消息摘要算法、安全杂乱信息标准算法中的任意一种。The device according to claim 9, wherein the hash operation includes any one of a message digest algorithm and a standard algorithm for secure messy information.
  11. 根据权利要求9所述的装置,其特征在于,所述拼接单元包括确定子单元及匹配子单元;The device according to claim 9, wherein the splicing unit includes a determining subunit and a matching subunit;
    所述确定子单元,用于确定所述被授权方上传的所述子密钥的数量与所述第一密钥中的子密钥的数量是否相同;The determining subunit is used to determine whether the number of subkeys uploaded by the authorized party is the same as the number of subkeys in the first key;
    所述匹配子单元,用于如果相同,根据所述授权方的标识将上传的子密钥进行拼接,得到第二密钥。The matching subunit is configured to splice the uploaded subkeys according to the identifier of the authorized party if they are the same to obtain the second key.
  12. 根据权利要求8所述的装置,其特征在于,所述装置还包括加密单元及发送单元;The device according to claim 8, wherein the device further comprises an encryption unit and a sending unit;
    加密单元,用于在所述获取所述被授权方上传的多个所述子密钥之前,利用所述授权方的公钥对所述第一密钥中与所述授权方相对应的子密钥一一进行二次加密;The encryption unit is configured to use the public key of the authorizing party to pair the child corresponding to the authorizing party in the first key before obtaining the plurality of sub-keys uploaded by the authorized party. The key is encrypted twice one by one;
    发送单元,用于将二次加密后的所述第一密钥发送给各个所述授权方,其中,所述授权方将能够用私钥解密的子密钥发送给所述被授权方,所述私钥与所述公钥为所述授权方的一对非对称密钥。The sending unit is configured to send the second-encrypted first key to each of the authorized parties, where the authorized party sends the sub-key that can be decrypted with the private key to the authorized party, so The private key and the public key are a pair of asymmetric keys of the authorized party.
  13. 一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现以下步骤:A computer device comprising a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the following steps when the processor executes the computer program:
    获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;Obtaining an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties;
    响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理,所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;In response to the authorization request, obtain the authorization data package uploaded by the primary authorizer among the multiple authorization parties, wherein the uploaded authorization data package is encrypted using a first key, and the first secret The key includes multiple sub-keys, and each of the sub-keys corresponds to one of the authorized parties;
    获取所述被授权方上传的多个所述子密钥;Acquiring a plurality of said subkeys uploaded by said authorized party;
    通过预设算法将多个所述子密钥进行拼接,得到第二密钥;Concatenate the multiple sub-keys by a preset algorithm to obtain a second key;
    将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。The second key is matched with the first key, and when the matching is successful, the authorized data packet is decrypted and authorized to the authorized party.
  14. 根据权利要求13所述的计算机设备,其特征在于,所述处理器执行所述计算机程序还实现以下步骤:The computer device according to claim 13, wherein the execution of the computer program by the processor further implements the following steps:
    在所述响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包之前,响应于所述授权请求,生成所述第一密钥,所述第一密钥包括多个所述子密钥,所述子密钥为一个所述授权方的身份信息通过哈希运算得到的哈希值;将所述第一密钥中的每个所述子密钥用对应一个所述授权方的标识进行标注。Before the obtaining the authorization data package uploaded by the primary authorizer among the plurality of authorizing parties in response to the authorization request, the first key is generated in response to the authorization request, and the first The key includes a plurality of the sub-keys, and the sub-key is a hash value obtained by a hash operation of the identity information of the authorized party; and each of the sub-keys in the first key is The key is marked with an identifier corresponding to one of the authorized parties.
  15. 根据权利要求14所述的计算机设备,其特征在于,所述处理器执行所述计算机程序实现所述通过预设算法将多个所述子密钥进行拼接得到第二密钥时包括以下步骤:The computer device according to claim 14, wherein the execution of the computer program by the processor to realize the splicing of the plurality of sub-keys through a preset algorithm to obtain the second key comprises the following steps:
    确定所述被授权方上传的所述子密钥的数量与所述第一密钥中的子密钥的数量是否相同;如果相同,根据所述授权方的标识将上传的子密钥进行拼接,得到第二密钥。Determine whether the number of subkeys uploaded by the authorized party is the same as the number of subkeys in the first key; if they are the same, splice the uploaded subkeys according to the identifier of the authorized party , Get the second key.
  16. 根据权利要求13所述的计算机设备,其特征在于,所述处理器执行所述计算机程序时还实现以下步骤:The computer device according to claim 13, wherein the processor further implements the following steps when executing the computer program:
    在所述获取所述被授权方上传的多个所述子密钥之前,利用所述授权方的公钥对所述第一密钥中与所述授权方相对应的子密钥一一进行二次加密;将二次加密后的所述第一密钥发送给各个所述授权方,其中,所述授权方将能够用私钥解密的子密钥发送给所述被授权方,所述私钥与所述公钥为所述授权方的一对非对称密钥。Before obtaining the plurality of subkeys uploaded by the authorized party, perform one-by-one operation on the subkeys corresponding to the authorized party in the first key using the public key of the authorized party Secondary encryption; sending the second-encrypted first key to each of the authorized parties, where the authorized party sends a subkey that can be decrypted with a private key to the authorized party, the The private key and the public key are a pair of asymmetric keys of the authorized party.
  17. 一种计算机非易失性可读存储介质,所述存储介质包括存储的程序,其特征在于,在所述程序运行时控制所述存储介质所在设备执行以下步骤:A computer non-volatile readable storage medium, the storage medium including a stored program, characterized in that, when the program is running, the device where the storage medium is located is controlled to perform the following steps:
    获取被授权方上传的授权请求,其中,所述授权请求与多个授权方相关联;Obtaining an authorization request uploaded by an authorized party, where the authorization request is associated with multiple authorized parties;
    响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包,其中,上传的所述授权数据包利用第一密钥进行加密处理,所述第一密钥包括多个子密钥,每个所述子密钥与一个所述授权方相对应;In response to the authorization request, obtain the authorization data package uploaded by the primary authorizer among the multiple authorization parties, wherein the uploaded authorization data package is encrypted using a first key, and the first secret The key includes multiple sub-keys, and each of the sub-keys corresponds to one of the authorized parties;
    获取所述被授权方上传的多个所述子密钥;Acquiring a plurality of said subkeys uploaded by said authorized party;
    通过预设算法将多个所述子密钥进行拼接,得到第二密钥;Concatenate the multiple sub-keys by a preset algorithm to obtain a second key;
    将所述第二密钥与所述第一密钥进行匹配,当匹配成功,所述授权数据包解密并授权给所述被授权方。The second key is matched with the first key, and when the matching is successful, the authorized data packet is decrypted and authorized to the authorized party.
  18. 根据权利要求17所述的计算机非易失性可读存储介质,其特征在于,在所述程序运行时控制所述存储介质所在设备执行以下步骤:The computer non-volatile readable storage medium according to claim 17, wherein the device where the storage medium is located is controlled to perform the following steps when the program is running:
    在所述响应于所述授权请求,获取多个所述授权方中的主授权方上传的所述授权数据包之前,响应于所述授权请求,生成所述第一密钥,所述第一密钥包括多个所述子密钥,所述子密钥为一个所述授权方的身份信息通过哈希运算得到的哈希值;将所述第一密钥中的每个所述子密钥用对应一个所述授权方的标识进行标注。Before the obtaining the authorization data package uploaded by the primary authorizer among the plurality of authorizing parties in response to the authorization request, the first key is generated in response to the authorization request, and the first The key includes a plurality of the sub-keys, and the sub-key is a hash value obtained by a hash operation of the identity information of the authorized party; and each of the sub-keys in the first key is The key is marked with an identifier corresponding to one of the authorized parties.
  19. 根据权利要求18所述的计算机非易失性可读存储介质,其特征在于,在所述程序运行时控制所述存储介质所在设备执行所述通过预设算法将多个所述子密钥进行拼接得到第二密钥包括以下步骤:The computer non-volatile readable storage medium according to claim 18, wherein when the program is running, the device in which the storage medium is located is controlled to execute the multiple of the subkeys through a preset algorithm. The splicing to obtain the second key includes the following steps:
    确定所述被授权方上传的所述子密钥的数量与所述第一密钥中的子密钥的数量是否相同;如果相同,根据所述授权方的标识将上传的子密钥进行拼接,得到第二密钥。Determine whether the number of subkeys uploaded by the authorized party is the same as the number of subkeys in the first key; if they are the same, splice the uploaded subkeys according to the identifier of the authorized party , Get the second key.
  20. 根据权利要求17所述的计算机非易失性可读存储介质,其特征在于,在所述程序运行时控制所述存储介质所在设备执行以下步骤:The computer non-volatile readable storage medium according to claim 17, wherein the device where the storage medium is located is controlled to perform the following steps when the program is running:
    在所述获取所述被授权方上传的多个所述子密钥之前,利用所述授权方的公钥对所述第一密钥中与所述授权方相对应的子密钥一一进行二次加密;将二次加密后的所述第一密钥发送给各个所述授权方,其中,所述授权方将能够用私钥解密的子密钥发送给所述被授权方,所述私钥与所述公钥为所述授权方的一对非对称密钥。Before obtaining the plurality of subkeys uploaded by the authorized party, perform one-by-one operation on the subkeys corresponding to the authorized party in the first key using the public key of the authorized party Secondary encryption; sending the second-encrypted first key to each of the authorized parties, where the authorized party sends a subkey that can be decrypted with a private key to the authorized party, the The private key and the public key are a pair of asymmetric keys of the authorized party.
PCT/CN2019/104329 2019-05-07 2019-09-04 Blockchain technology-based multi-party authorization method and device WO2020224138A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910374338.6 2019-05-07
CN201910374338.6A CN110224984A (en) 2019-05-07 2019-05-07 A kind of multi-party authorization method and device based on block chain technology

Publications (1)

Publication Number Publication Date
WO2020224138A1 true WO2020224138A1 (en) 2020-11-12

Family

ID=67820581

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/104329 WO2020224138A1 (en) 2019-05-07 2019-09-04 Blockchain technology-based multi-party authorization method and device

Country Status (2)

Country Link
CN (1) CN110224984A (en)
WO (1) WO2020224138A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602089B (en) * 2019-09-11 2021-08-10 腾讯科技(深圳)有限公司 Block chain-based medical data storage method, device, equipment and storage medium
CN111131336B (en) * 2020-03-30 2020-07-17 腾讯科技(深圳)有限公司 Resource access method, device, equipment and storage medium under multi-party authorization scene
CN112307493B (en) * 2020-10-15 2024-02-09 上海东方投资监理有限公司 Project settlement data review sending method, system, terminal equipment and storage medium
CN112272087B (en) * 2020-10-26 2023-04-18 链盟智能科技(广州)有限公司 Application method in block chain based on safe multi-party calculation
CN113259084A (en) * 2021-06-09 2021-08-13 江苏苏宁银行股份有限公司 Method and device for pre-warning of mortgage risk of movable property, computer equipment and storage medium
CN117097476B (en) * 2023-10-19 2024-01-26 浪潮云洲工业互联网有限公司 Data processing method, equipment and medium based on industrial Internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170372310A1 (en) * 2016-06-27 2017-12-28 Paypal, Inc. Secure key based trust chain among user devices
CN108632284A (en) * 2018-05-10 2018-10-09 网易(杭州)网络有限公司 User data authorization method, medium, device and computing device based on block chain
CN109492419A (en) * 2018-11-27 2019-03-19 众安信息技术服务有限公司 For obtaining the method, apparatus and storage medium of the data in block chain
CN109543441A (en) * 2018-10-08 2019-03-29 北京百度网讯科技有限公司 Database authorization method, device, computer equipment and storage medium
CN109697365A (en) * 2018-12-20 2019-04-30 深圳市元征科技股份有限公司 Information processing method and block chain node, electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106850221B (en) * 2017-04-10 2019-11-08 四川阵风科技有限公司 Information encryption and decryption method and device
CN108702287B (en) * 2018-04-16 2022-04-01 达闼机器人有限公司 Information issuing and acquiring method and device based on block chain and block chain link point
CN108924107B (en) * 2018-06-21 2020-08-21 桂林电子科技大学 Verifiable method for block chain remote medical data calling
CN109120639B (en) * 2018-09-26 2021-03-16 众安信息技术服务有限公司 Data cloud storage encryption method and system based on block chain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170372310A1 (en) * 2016-06-27 2017-12-28 Paypal, Inc. Secure key based trust chain among user devices
CN108632284A (en) * 2018-05-10 2018-10-09 网易(杭州)网络有限公司 User data authorization method, medium, device and computing device based on block chain
CN109543441A (en) * 2018-10-08 2019-03-29 北京百度网讯科技有限公司 Database authorization method, device, computer equipment and storage medium
CN109492419A (en) * 2018-11-27 2019-03-19 众安信息技术服务有限公司 For obtaining the method, apparatus and storage medium of the data in block chain
CN109697365A (en) * 2018-12-20 2019-04-30 深圳市元征科技股份有限公司 Information processing method and block chain node, electronic equipment

Also Published As

Publication number Publication date
CN110224984A (en) 2019-09-10

Similar Documents

Publication Publication Date Title
WO2020224138A1 (en) Blockchain technology-based multi-party authorization method and device
WO2021238527A1 (en) Digital signature generation method and apparatus, computer device, and storage medium
JP6528008B2 (en) Personal Device Security Using Elliptic Curve Cryptography for Secret Sharing
US10142107B2 (en) Token binding using trust module protected keys
WO2021013245A1 (en) Data key protection method and system, electronic device and storage medium
TWI683566B (en) Quantum key output method, storage consistency verification method, device and system
WO2019214070A1 (en) Encryption method for user communication on block chain, apparatus, terminal device and storage medium
WO2021057073A1 (en) Private key generation and use method, apparatus and device in asymmetric key
CN113364760A (en) Data encryption processing method and device, computer equipment and storage medium
US20190245686A1 (en) Secure crypto system attributes
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN114175572B (en) System and method for performing equal and less operations on encrypted data using a quasi-group operation
WO2022121623A1 (en) Data set intersection method and apparatus
WO2022022009A1 (en) Message processing method and apparatus, device, and storage medium
CN112400299B (en) Data interaction method and related equipment
WO2021042851A1 (en) Data signature method and device for use in blockchain, computer apparatus, and storage medium
US7894608B2 (en) Secure approach to send data from one system to another
CN109474616B (en) Multi-platform data sharing method and device and computer readable storage medium
CN112738051A (en) Data information encryption method, system and computer readable storage medium
WO2014030706A1 (en) Encrypted database system, client device and server, method and program for adding encrypted data
CN115603907A (en) Method, device, equipment and storage medium for encrypting storage data
WO2020042023A1 (en) Instant messaging data encryption method and apparatus
CN115828300A (en) Block chain-based government affair information processing method and system with privacy protection function
CN115766244A (en) Internet of vehicles information encryption method and device, computer equipment and storage medium
WO2022091544A1 (en) Information verification device, electronic control device, and information verification method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19928222

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19928222

Country of ref document: EP

Kind code of ref document: A1