WO2022205963A1 - Cross-chain access control method, and apparatus - Google Patents

Cross-chain access control method, and apparatus Download PDF

Info

Publication number
WO2022205963A1
WO2022205963A1 PCT/CN2021/133097 CN2021133097W WO2022205963A1 WO 2022205963 A1 WO2022205963 A1 WO 2022205963A1 CN 2021133097 W CN2021133097 W CN 2021133097W WO 2022205963 A1 WO2022205963 A1 WO 2022205963A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
identifier
blockchain
account
access control
Prior art date
Application number
PCT/CN2021/133097
Other languages
French (fr)
Chinese (zh)
Inventor
邱鸿霖
Original Assignee
蚂蚁区块链科技(上海)有限公司
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 蚂蚁区块链科技(上海)有限公司, 支付宝(杭州)信息技术有限公司 filed Critical 蚂蚁区块链科技(上海)有限公司
Publication of WO2022205963A1 publication Critical patent/WO2022205963A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the embodiments of this specification relate to the field of blockchain technology, and more particularly, to a cross-chain access control method and apparatus.
  • Blockchain technology also known as distributed ledger technology, is a decentralized distributed database technology characterized by decentralization, openness, transparency, immutability, and trustworthiness. Each data of the blockchain will be broadcast to the blockchain nodes of the entire network, and each full node has a full amount of consistent data.
  • many different types of chains have emerged, which are applied in the fields of finance, health care, supply chain, asset management and traceability.
  • most on-chain applications encrypted currencies or smart contracts
  • How to make different types of chains cooperate to realize the circulation of data has become the direction of exploration.
  • the cross-chain message to be sent to the second blockchain is written into the receipt of the first blockchain in the first blockchain, and the off-chain relay device from the first blockchain
  • the blockchain gets the receipt, provides the receipt to the second blockchain.
  • the receipt includes a data read request to the second blockchain or a call request to the smart contract.
  • one aspect of this specification provides a cross-chain access control method, the method is executed by a relay device, the relay device is connected to the first blockchain, and the relay device is preset with a The access control table corresponding to the first blockchain, the method includes: receiving a write request to the access control table and a digital signature, wherein the digital signature is the sender of the write request to all The digital signature of the write request, the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource; the digital signature is obtained based on the identifier of the resource and used to verify the digital signature using the public key to verify the digital signature; in the case of passing the verification, write authorization information for the resource in the access control table.
  • acquiring the public key for verifying the digital signature based on the identifier of the resource includes determining the owner of the resource based on the identifier of the resource, and acquiring the public key of the owner.
  • the identifier of the resource is the account address of the smart contract
  • determining the owner of the resource based on the identifier of the resource includes reading the account status of the smart contract from the account state of the smart contract. The owner's account address.
  • the identifier of the resource includes an identifier of a first transaction, wherein determining the owner of the resource based on the identifier of the resource includes reading from the first blockchain based on the identifier of the first transaction Get the account address that sent the first transaction.
  • the identifier of the resource includes an identifier of a first block, wherein determining the owner of the resource based on the identifier of the resource includes, based on the first block included in the identifier of the first block The domain name of the block chain, and the domain name certificate of the first block chain is obtained.
  • the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein in the Writing the authorization information for the resource in the access control table includes writing the identifier of the authorized account of the resource in the access control table.
  • acquiring the public key for verifying the digital signature based on the identifier of the resource includes reading the identifier of the authorized account in the access control table, and based on the identifier of the authorized account Obtain the public key of the authorized account.
  • the relay device includes a TEE, and the method is performed by the TEE.
  • Another aspect of this specification provides a cross-chain access control device, the device is deployed in a relay device, the relay device is connected to a first blockchain, and the relay device is preset with the first blockchain.
  • An access control table corresponding to the blockchain the device includes: a receiving unit configured to receive a write request and a digital signature for the access control table, wherein the digital signature is the sender of the write request
  • the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource
  • the acquiring unit is configured to, based on the identifier of the resource obtaining a public key for verifying the digital signature; a verification unit, configured to use the public key to verify the digital signature;
  • a writing unit configured to, in the case of passing the verification, in the access control
  • the authorization information for the resource is written in the table.
  • the obtaining unit includes a determining subunit configured to determine the owner of the resource based on the identifier of the resource, and a first obtaining subunit configured to obtain the public information of the owner key.
  • the identifier of the resource is the account address of the smart contract
  • the determining subunit is further configured to read the account address of the owner of the smart contract from the account state of the smart contract.
  • the identifier of the resource includes an identifier of the first transaction
  • the determining subunit is further configured to read and send the first transaction from the first blockchain based on the identifier of the first transaction.
  • the account address of the transaction is not limited to the first transaction.
  • the identifier of the resource includes the identifier of the first block, wherein the determining subunit is further configured to obtain, based on the domain name of the first blockchain included in the identifier of the first block, obtain The domain name certificate of the first blockchain.
  • the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein the The writing unit is further configured to write the identifier of the authorized account of the resource in the access control table.
  • the acquiring unit further includes a reading subunit, configured to read the identifier of the authorized account in the access control table, and a second acquiring subunit, configured to, based on the The identification of the authorized account obtains the public key of the authorized account.
  • the relay device includes a TEE, and the apparatus is deployed in the TEE.
  • Another aspect of the present specification provides a computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is made to execute any one of the above methods.
  • Another aspect of the present specification provides a computing device, including a memory and a processor, where executable code is stored in the memory, and when the processor executes the executable code, any one of the foregoing methods is implemented.
  • FIG. 1 shows a schematic diagram of a cross-chain system according to an embodiment of the present specification
  • FIG. 2 shows a flowchart of a cross-chain access control method according to an embodiment of the present specification
  • FIG. 3 shows a flowchart of a cross-chain access control method according to an embodiment of the present specification
  • FIG. 4 shows a cross-chain access control apparatus 400 according to an embodiment of the present specification.
  • FIG. 1 shows a schematic diagram of a cross-chain system according to an embodiment of the present specification.
  • the cross-chain system includes a first blockchain 11 , a relay device network 12 and a second blockchain 13 .
  • the relay device network 12 includes a plurality of relay devices with a predetermined connection relationship.
  • FIG. 1 only schematically shows the first relay device 121 and the second relay device 122 , and the other ones are represented by dotted lines. , the first relay device 121 and the second relay device 122 may be directly connected, or may be connected through other relay devices.
  • Each relay device in the relay device network 12 is connected to at least one blockchain, and each relay device stores a look-up table that records the correspondence of a predetermined number of relay devices to the blockchain to which it is connected. Therefore, through the plurality of relay devices in the relay device network 12, the relay device network can be connected with more blockchains.
  • 1 schematically shows that the first blockchain 11 is connected to the first relay device 121 , and the second blockchain 13 is connected to the second relay device
  • the second blockchain 13 sends an access request to the first blockchain 11 through the relay device network 12 , and the access request is, for example, to read data in the first blockchain 11 or to call the first blockchain 11 . smart contracts in .
  • the second blockchain 13 sends the access request to the first relay device 121 through the relay device network 12 based on the lookup table, and the first relay device 121 determines whether the access request is based on the access control table (ACL table). is authorized to determine whether to access the first blockchain 11 in response to the access request.
  • ACL table access control table
  • each relay device is further provided with an ACL table writing module, and the ACL table writing module includes an identity authentication sub-module and a resource authentication sub-module.
  • the first relay device 121 When the user sends an ACL table write request to, for example, the first relay device 121 through its device to set the authorization information of the resource, the first relay device 121 calls the ACL table write module, and first determines the resource through the resource authentication sub-module The owner or the authorized person, and then determine whether the sender of the write request is the owner of the resource or the authorizer of the resource through the identity authentication sub-module, so as to determine whether to perform the ACL table based on the write request. write.
  • Fig. 2 shows a flow chart of a method for cross-chain access control according to an embodiment of the present specification.
  • the method is executed by the first relay device 121 in Fig. 1.
  • the method includes the following steps: Step S202: The write request and the signature of the table, the signature is the digital signature of the sender of the write request to the write request, and the write request includes the identifier of the resource to be authorized in the first blockchain ; Step S204, determine the owner of the resource; Step S206, verify whether the signature is the signature of the owner; Step S208, verify that the digital signature is not the owner's signature in the situation, verify that all whether the signature is the signature of the authorized account of the resource; step S210, write the ACL table based on the write request.
  • the owner of the resource 11 in the first blockchain sends a request to write to the ACL table and a digital signature for the write request to the first relay device 121 through his device, so that the first A relay device 121 executes step S202 to receive the above resource owner's write request and signature to the ACL table.
  • the digital signature is a digital signature of the write request using the account private key of the sender of the write request
  • the write request includes the specific resource to be authorized in the first blockchain. logo.
  • the resources may include, for example, block data, transaction data, smart contracts and the like in the first blockchain 11 .
  • the write request may include the identifier of the block data, the identifier of the transaction data or the identifier of the smart contract.
  • the identifier of the block data includes, for example, the domain name of the first blockchain, the hash value of the block header or the block number, etc.; the identifier of the transaction data includes, for example, the domain name of the first blockchain, the transaction data of the block. Identification and transaction number, etc.; the identification of the smart contract includes, for example, the domain name of the first blockchain and the account of the smart contract.
  • the write request is, for example, a request to write the authorization content of a specific resource in the ACL table.
  • the authorized content includes, for example, the domain name of the blockchain authorized to use the specific resource, the authorized usage mode of the specific resource, and the like.
  • the authorized use methods include calling methods, and for resources such as block data and transaction data, the authorized use methods include reading methods, and so on.
  • the first relay device 121 executes step S204 to determine the owner of the resource.
  • the first relay device 121 After receiving the above write request to the ACL table, the first relay device 121 first needs to confirm who is the owner of the specific resource in the write request, so as to determine whether the sender of the write request is the specified resource. Describe the owner of a specific resource, that is, determine whether the sender has permission to write to the ACL table. Therefore, the first relay device 121 determines the owner of the resource through its resource authentication sub-module.
  • the specific resource is a smart contract deployed in the first blockchain 11, and the account address of the owner of the smart contract is recorded in the owner field in the account status of the smart contract.
  • the resource authentication sub-module can read the owner field in the account status of the smart contract to obtain the owner's account address, and can obtain the owner's public account by reading the account status of the owner's account. key.
  • the specific resource is transaction data stored in the first blockchain 11 .
  • different blockchains may have different regulations on the owner of the transaction data.
  • the transaction data of the transaction includes the transaction sender's certificate data
  • the owner of the transaction data is specified as the transaction sender
  • the owner of the transaction can be specified as the owner of the blockchain in the blockchain.
  • the resource authentication sub-module can obtain the specified description of the owner of the transaction data from the first blockchain 11 . For example, if the resource authentication sub-module determines that the owner of the transaction data is the sender of the transaction, the resource authentication sub-module reads the transaction data from the first blockchain 11, thereby obtaining the transaction data from the transaction data.
  • the sending account of the transaction, and the account public key of the sending account can be obtained from the account status of the sending account.
  • the resource authentication sub-module determines that the owner of the transaction data is the owner of the first blockchain 11, the resource authentication sub-module can obtain the domain name certificate of the first blockchain 11 from the domain name certificate authority, and the domain name certificate
  • the domain name and the public key of the domain name owner are included in the domain name, so as to identify the owner of the domain name, so that the resource authentication sub-module can obtain the public key of the owner of the first blockchain 11 from the domain name certificate.
  • the resource authentication sub-module can store the domain name certificate locally in the first relay device 121 for subsequent verification of the domain name certificate in the first blockchain 11 Authentication of resources.
  • the specific resource is block data in the first blockchain 11, and generally, the owner of the block data is the owner of the corresponding blockchain. Therefore, the resource authentication sub-module can obtain the domain name certificate of the first blockchain 11 from the domain name certificate authority or locally, similarly to the above, so as to obtain the public information of the owner of the first blockchain 11 from the domain name certificate. key.
  • the first relay device 121 executes step S206 to determine whether the signature of the write request is the signature of the owner of the specific resource through the identity authentication sub-module. Specifically, after obtaining the public key of the owner of the specific resource, the identity authentication sub-module uses the public key to decrypt the digital signature of the write request, calculates the hash value of the write request, and compares the decrypted data with the whether the hash values are the same. If the same, it can be determined that the signature of the write request is the signature of the owner of the specific resource, so that the first relay device 121 can perform step S210, and write the ACL table through the ACL table writing module .
  • Table 1 shows a schematic diagram of the ACL table corresponding to the first blockchain 11 .
  • the column “Resource” is used to record the identifier of the resource in the first blockchain 11, and the resource includes, for example, block data, transaction data, smart contracts, etc., "Blockchain identifier"
  • a column is used to record the identity of the blockchain that is authorized to use the corresponding resource.
  • the domain name of the blockchain is used as the identity of the blockchain, and the column “Access Mode” is used to record the authorized access to the corresponding resource.
  • the access method includes calling the contract and reading the data. Specifically, assuming that the domain name of the second blockchain 13 is domain name 2, it is recorded in Table 1 that the second blockchain 13 is authorized to call the first contract in the first blockchain 11 and the Read access to transaction q in block p in a blockchain 11.
  • the access control list shown in Table 1 is only illustrative and not restrictive.
  • the block chain identifier column is not limited to recording the domain name of the block chain, but other block chain identifiers used to uniquely identify the block chain can be recorded.
  • the access control table is not limited to including those shown in Table 1. 3 columns, but only one or two of them can be recorded, for example, only the "resource" column in table 1 is included in the access control table, which means that the call to the first contract is authorized for all blockchains Permissions, read access to transactions q in block p, and block m.
  • the first relay device 121 After the first relay device 121 writes the access authority to the specific resource in the ACL table, when the off-chain device of the first blockchain 11 (for example, the node device of the second blockchain 13 ) passes through the first relay device When 121 accesses the specific resource in the first blockchain 11, the first relay device 121 will perform access control based on the permission setting corresponding to the specific resource in the ACL table.
  • the write request is, for example, a request to write an account identifier authorized to set access rights to a specific resource in the ACL table, where the account identifier is, for example, an account public key or an account address.
  • the first relay device 121 after determining that the signature of the write request is the signature of the owner of the specific resource through the resource authentication sub-module and the identity authentication sub-module, the first relay device 121 writes in the ACL table The account ID that authorizes a specific resource.
  • Table 2 shows a schematic diagram of the ACL table in this embodiment.
  • the authorized account is used to record the account publicity of the account authorized to set the access authority of the resource in the ACL table.
  • key shown schematically as abc456 in Table 2). It can be understood that the column of authorized accounts in Table 2 is not limited to recording the account public key, but can also record the account address.
  • the first relay device 121 may perform step S208 to determine whether the signature is the signature of an authorized account .
  • the first relay device 121 reads the account public key of the authorized account of the specific resource from the ACL table through the ACL table writing module, and uses the public key to verify the signature, thereby determining whether the signature is authorized The signature of the account.
  • the ACL table writing module in the first relay device 121 can obtain the public key corresponding to the account based on the account address, and use the public key to verify the signature .
  • the ACL table writing module determines that the signature is the signature of an authorized account, for example, the write request includes a restriction on the access authority to the first contract account, the first relay device 121 based on the write request Through the ACL table writing module, the block chain identifier, access method and other contents associated with the first contract account as shown in Table 1 are written in the ACL table. If it is determined by performing step S208 that the signature is not the signature of the authorized account, the method execution flow ends, and the ACL table is not written.
  • FIG. 3 shows a flowchart of a method for cross-chain access control according to an embodiment of the present specification.
  • the method is executed by, for example, the first relay device 121 in FIG. 1 , and the method includes the following steps S302-S310.
  • the write request includes a signature indication field, which is used to indicate whether the signature of the write request is the signature of the resource owner or the signature of the resource authorized account.
  • the first relay device 121 first executes step S302, and receives a write request to the ACL table and the sender's digital signature for the write request from the sender device. After that, the first relay device 121 executes step S304, and reads the signature indication field in the write request.
  • step S306 similarly to the above to determine the resource and in step S308, it is determined whether the signature is the signature of the owner, to determine whether to execute step S312, that is, to determine whether to write the ACL table. If the signature indication field indicates that the signature is the signature of an authorized account, that is, the write request is sent by an authorized account, the first relay device 121 performs step S310 similarly to the above to determine the signature Whether it is the signature of the authorized account to determine whether to write to the ACL table.
  • the first relay device 121 for executing the above method may be a trusted device, or may include a Trusted Execution Environment (TEE), and execute the above method in the TEE.
  • the sender of the write request ie the resource owner or the authorized person of the resource
  • the sender device may send an authentication request to the TEE.
  • the TEE After receiving the verification request, the TEE generates authentication information based on its internal mechanism, and sends the authentication information and the hardware public key of the TEE to the sender device.
  • the authentication information includes, for example, signature information, hardware information, software information, and the like of the TEE.
  • the signature information is generated by, for example, the hardware key of the TEE; the hardware information includes, for example, various hardware indicators, such as CPU frequency, memory capacity, etc.; the software information includes the code hash value of each program , code name, version, run log, etc.
  • a TEE can perform "measurements" of a program running in it through memory hardware, such as obtaining a code hash of the program, a hash of the program's memory occupancy at a particular point of execution, etc.
  • the authentication information includes "measurement" information for the program, which is authentic and credible because the "measurement" information is executed by the TEE's own entity (memory hardware) without involving any software or operating system.
  • the sender device may send the authentication information to the remote authentication server of the TEE, so as to receive the verification result of the TEE from the server.
  • the verification result includes the identity verification of the TEE, the verification of the internal execution program of the TEE, and the like. Therefore, the sender device can determine that the TEE is authentic and the processing result of the TEE is authentic based on the verification result.
  • the first relay device 121 can access the resource based on the ACL table corresponding to the first blockchain 11 Request verification to determine whether the second blockchain 13 has access rights to the required resources, and after the verification is passed, use the TEE private key to sign the resource access request, and sign the resource access request and TEE Provided to the first blockchain 11.
  • the first blockchain 11 verifies the TEE signature through the pre-obtained TEE public key, and if the verification passes, it can be determined that the resource access request has been authenticated by the access authority of the first relay device 121, so as to process the resource access request.
  • FIG. 4 shows a cross-chain access control apparatus 400 according to an embodiment of the present specification.
  • the apparatus 400 is deployed in a relay device, the relay device is connected to the first blockchain, and the relay device is preset There is an access control table corresponding to the first blockchain, and the apparatus 400 includes: a receiving unit 41, configured to receive a write request and a digital signature for the access control table, wherein the digital signature is the digital signature of the write request by the sender of the write request, where the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource; the obtaining unit 42, is configured to obtain a public key for verifying the digital signature based on the identifier of the resource; the verification unit 43 is configured to use the public key to verify the digital signature; the writing unit 44 is configured to: In the case of passing the verification, the authorization information for the resource is written in the access control table.
  • the obtaining unit 42 includes a determining subunit 421 configured to determine the owner of the resource based on the identifier of the resource, and the first obtaining subunit 422 is configured to obtain all the resources the public key of the person.
  • the identifier of the resource is the account address of the smart contract
  • the determining subunit 421 is further configured to read the account address of the owner of the smart contract from the account status of the smart contract .
  • the identifier of the resource includes an identifier of the first transaction
  • the determining subunit 421 is further configured to read and send the first transaction from the first blockchain based on the identifier of the first transaction.
  • the identifier of the resource includes the identifier of the first block
  • the determining subunit 421 is further configured to, based on the domain name of the first blockchain included in the identifier of the first block, Obtain the domain name certificate of the first blockchain.
  • the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein the The writing unit 44 is further configured to write the identifier of the authorized account of the resource in the access control table.
  • the obtaining unit 42 further includes a reading subunit 423 configured to read the identifier of the account authorized with respect to the resource in the access control table, and the second obtaining subunit 424 , configured to obtain the public key of the authorized account based on the identity of the authorized account.
  • the relay device includes a TEE, and the apparatus is deployed in the TEE.
  • Another aspect of the present specification provides a computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is made to execute any one of the above methods.
  • Another aspect of the present specification provides a computing device, including a memory and a processor, where executable code is stored in the memory, and when the processor executes the executable code, any one of the foregoing methods is implemented.
  • the software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or technical fields in any other form of storage medium known in the art.
  • RAM random access memory
  • ROM read only memory
  • electrically programmable ROM electrically erasable programmable ROM
  • registers hard disks, removable disks, CD-ROMs, or technical fields in any other form of storage medium known in the art.

Abstract

A cross-chain access control method, and an apparatus, the method being executed by a relay device (12), the relay device (12) being connected to a first blockchain (11), and the relay device (12) being pre-provided with an access control list corresponding to the first blockchain (11). The method comprises: receiving a digital signature and a write request for the access control list, wherein the digital signature is a digital signature of a sender of the write request for said write request, and the write request comprises an identifier of a resource in the first blockchain as well as authorization information for the resource; obtaining a public key for verifying the digital signature on the basis of the identifier of the resource; performing verification on the digital signature using the public key; and when verification is passed, writing the authorization information for the resource into the access control list.

Description

一种跨链访问控制方法和装置A method and device for cross-chain access control 技术领域technical field
本说明书实施例涉及区块链技术领域,更具体地,涉及一种跨链访问控制方法和装置。The embodiments of this specification relate to the field of blockchain technology, and more particularly, to a cross-chain access control method and apparatus.
背景技术Background technique
区块链技术也被称之为分布式账本技术,是一种去中心化的分布式数据库技术,其特点是去中心化、公开透明、不可篡改、可信任。区块链的每笔数据,都会广播到全网的区块链节点,每个全节点都有全量的、一致的数据。随着区块链技术的火热,出现了许多不同类型的链,应用在金融、健康医疗、供应链、资产管理和溯源等领域。然而大部分链上应用(加密货币或者智能合约)都无法跨越当前链的边界,不能与其他链协同合作实现数据的流通,从而限制了区块链的发挥空间。如何能让不同类型的链协同合作实现数据的流通成了探索的方向。Blockchain technology, also known as distributed ledger technology, is a decentralized distributed database technology characterized by decentralization, openness, transparency, immutability, and trustworthiness. Each data of the blockchain will be broadcast to the blockchain nodes of the entire network, and each full node has a full amount of consistent data. With the popularity of blockchain technology, many different types of chains have emerged, which are applied in the fields of finance, health care, supply chain, asset management and traceability. However, most on-chain applications (encrypted currencies or smart contracts) cannot cross the boundary of the current chain, and cannot cooperate with other chains to realize the circulation of data, thus limiting the space for the blockchain to play. How to make different types of chains cooperate to realize the circulation of data has become the direction of exploration.
在现有的一种跨链技术中,在第一区块链中将待发送给第二区块链的跨链消息写入第一区块链的收据,链下的中继设备从第一区块链获取该收据,将该收据提供给第二区块链。该收据中包括对第二区块链的数据读取请求或者对智能合约的调用请求。在该情况中,为了保证区块链中的数据安全性,如何对第二区块链进行访问权限控制,是亟待解决的问题。In an existing cross-chain technology, the cross-chain message to be sent to the second blockchain is written into the receipt of the first blockchain in the first blockchain, and the off-chain relay device from the first blockchain The blockchain gets the receipt, provides the receipt to the second blockchain. The receipt includes a data read request to the second blockchain or a call request to the smart contract. In this case, in order to ensure the data security in the blockchain, how to control the access authority of the second blockchain is an urgent problem to be solved.
因此,需要一种更有效的跨链访问控制方案。Therefore, a more efficient cross-chain access control scheme is needed.
发明内容SUMMARY OF THE INVENTION
本说明书实施例旨在提供一种更有效的跨链访问控制方案,以解决现有技术中的不足。The embodiments of this specification aim to provide a more effective cross-chain access control solution to solve the deficiencies in the prior art.
为实现上述目的,本说明书一个方面提供一种跨链访问控制方法,所述方法由中继设备执行,所述中继设备与第一区块链连接,所述中继设备中预设有与所述第一区块链对应的访问控制表,所述方法包括:接收对所述访问控制表的写入请求及数字签名,其中,所述数字签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括所述第一区块链中的资源的标识和对所述资源的授权信息;基于所述资源的标识获取用于验证所述数字签名的公钥;使用所述公钥对所述数字签名进行验证;在验证通过的情况中,在所述访问控制表中写入对所述资源的授权信息。In order to achieve the above purpose, one aspect of this specification provides a cross-chain access control method, the method is executed by a relay device, the relay device is connected to the first blockchain, and the relay device is preset with a The access control table corresponding to the first blockchain, the method includes: receiving a write request to the access control table and a digital signature, wherein the digital signature is the sender of the write request to all The digital signature of the write request, the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource; the digital signature is obtained based on the identifier of the resource and used to verify the digital signature using the public key to verify the digital signature; in the case of passing the verification, write authorization information for the resource in the access control table.
在一种实施方式中,基于所述资源的标识获取用于验证所述数字签名的公钥包括,基于所述资源的标识确定所述资源的所有者,获取所述所有者的公钥。In one embodiment, acquiring the public key for verifying the digital signature based on the identifier of the resource includes determining the owner of the resource based on the identifier of the resource, and acquiring the public key of the owner.
在一种实施方式中,所述资源的标识为智能合约的账户地址,基于所述资源的标识 确定所述资源的所有者包括,从所述智能合约的账户状态中读取所述智能合约的所有者的账户地址。In one embodiment, the identifier of the resource is the account address of the smart contract, and determining the owner of the resource based on the identifier of the resource includes reading the account status of the smart contract from the account state of the smart contract. The owner's account address.
在一种实施方式中,所述资源的标识包括第一交易的标识,其中,基于所述资源的标识确定所述资源的所有者包括,基于第一交易的标识从第一区块链中读取发送所述第一交易的账户地址。In one embodiment, the identifier of the resource includes an identifier of a first transaction, wherein determining the owner of the resource based on the identifier of the resource includes reading from the first blockchain based on the identifier of the first transaction Get the account address that sent the first transaction.
在一种实施方式中,所述资源的标识包括第一区块的标识,其中,基于所述资源的标识确定所述资源的所有者包括,基于第一区块的标识中包括的第一区块链的域名,获取所述第一区块链的域名证书。In an implementation manner, the identifier of the resource includes an identifier of a first block, wherein determining the owner of the resource based on the identifier of the resource includes, based on the first block included in the identifier of the first block The domain name of the block chain, and the domain name certificate of the first block chain is obtained.
在一种实施方式中,所述写入请求中包括所述资源的被授权账户的标识,所述被授权账户被授权在所述访问控制表写入所述资源的授权信息,其中,在所述访问控制表中写入对所述资源的授权信息包括,在所述访问控制表中写入所述资源的被授权账户的标识。In one embodiment, the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein in the Writing the authorization information for the resource in the access control table includes writing the identifier of the authorized account of the resource in the access control table.
在一种实施方式中,基于所述资源的标识获取用于验证所述数字签名的公钥包括,在所述访问控制表读取所述被授权账户的标识,基于所述被授权账户的标识获取所述被授权账户的公钥。In one embodiment, acquiring the public key for verifying the digital signature based on the identifier of the resource includes reading the identifier of the authorized account in the access control table, and based on the identifier of the authorized account Obtain the public key of the authorized account.
在一种实施方式中,所述中继设备中包括TEE,所述方法由所述TEE执行。In one embodiment, the relay device includes a TEE, and the method is performed by the TEE.
本说明书另一方面提供一种跨链访问控制装置,所述装置部署于中继设备,所述中继设备与第一区块链连接,所述中继设备中预设有与所述第一区块链对应的访问控制表,所述装置包括:接收单元,配置为,接收对所述访问控制表的写入请求及数字签名,其中,所述数字签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括所述第一区块链中的资源的标识和对所述资源的授权信息;获取单元,配置为,基于所述资源的标识获取用于验证所述数字签名的公钥;验证单元,配置为,使用所述公钥对所述数字签名进行验证;写入单元,配置为,在验证通过的情况中,在所述访问控制表中写入对所述资源的授权信息。Another aspect of this specification provides a cross-chain access control device, the device is deployed in a relay device, the relay device is connected to a first blockchain, and the relay device is preset with the first blockchain. An access control table corresponding to the blockchain, the device includes: a receiving unit configured to receive a write request and a digital signature for the access control table, wherein the digital signature is the sender of the write request For the digital signature of the write request, the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource; the acquiring unit is configured to, based on the identifier of the resource obtaining a public key for verifying the digital signature; a verification unit, configured to use the public key to verify the digital signature; a writing unit, configured to, in the case of passing the verification, in the access control The authorization information for the resource is written in the table.
在一种实施方式中,所述获取单元包括,确定子单元,配置为,基于所述资源的标识确定所述资源的所有者,第一获取子单元,配置为,获取所述所有者的公钥。In one embodiment, the obtaining unit includes a determining subunit configured to determine the owner of the resource based on the identifier of the resource, and a first obtaining subunit configured to obtain the public information of the owner key.
在一种实施方式中,所述资源的标识为智能合约的账户地址,所述确定子单元还配置为,从所述智能合约的账户状态中读取所述智能合约的所有者的账户地址。In one embodiment, the identifier of the resource is the account address of the smart contract, and the determining subunit is further configured to read the account address of the owner of the smart contract from the account state of the smart contract.
在一种实施方式中,所述资源的标识包括第一交易的标识,其中,所述确定子单元还配置为,基于第一交易的标识从第一区块链中读取发送所述第一交易的账户地址。In one embodiment, the identifier of the resource includes an identifier of the first transaction, wherein the determining subunit is further configured to read and send the first transaction from the first blockchain based on the identifier of the first transaction. The account address of the transaction.
在一种实施方式中,所述资源的标识包括第一区块的标识,其中,所述确定子单元还配置为,基于第一区块的标识中包括的第一区块链的域名,获取所述第一区块链的域名证书。In one embodiment, the identifier of the resource includes the identifier of the first block, wherein the determining subunit is further configured to obtain, based on the domain name of the first blockchain included in the identifier of the first block, obtain The domain name certificate of the first blockchain.
在一种实施方式中,所述写入请求中包括所述资源的被授权账户的标识,所述被授权账户被授权在所述访问控制表写入所述资源的授权信息,其中,所述写入单元还配置为,在所述访问控制表中写入所述资源的被授权账户的标识。In one embodiment, the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein the The writing unit is further configured to write the identifier of the authorized account of the resource in the access control table.
在一种实施方式中,所述获取单元还包括,读取子单元,配置为,在所述访问控制表读取所述被授权账户的标识,第二获取子单元,配置为,基于所述被授权账户的标识获取所述被授权账户的公钥。In one embodiment, the acquiring unit further includes a reading subunit, configured to read the identifier of the authorized account in the access control table, and a second acquiring subunit, configured to, based on the The identification of the authorized account obtains the public key of the authorized account.
在一种实施方式中,所述中继设备中包括TEE,所述装置部署于所述TEE中。In an embodiment, the relay device includes a TEE, and the apparatus is deployed in the TEE.
本说明书另一方面提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行上述任一项方法。Another aspect of the present specification provides a computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is made to execute any one of the above methods.
本说明书另一方面提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现上述任一项方法。Another aspect of the present specification provides a computing device, including a memory and a processor, where executable code is stored in the memory, and when the processor executes the executable code, any one of the foregoing methods is implemented.
通过根据本说明书实施例的跨链访问控制方案,使得只有资源的所有者或者由资源所有者授权的账户才可以在ACL表中设置该资源的访问权限,从而保障区块链的数据安全性,通过在中继设备中由TEE执行根据本说明书实施例的方案,进一步保障了数据安全性。Through the cross-chain access control scheme according to the embodiment of this specification, only the owner of the resource or the account authorized by the resource owner can set the access authority of the resource in the ACL table, thereby ensuring the data security of the blockchain, By executing the solution according to the embodiment of the present specification by the TEE in the relay device, data security is further guaranteed.
附图说明Description of drawings
通过结合附图描述本说明书实施例,可以使得本说明书实施例更加清楚:By describing the embodiments of the present specification in conjunction with the accompanying drawings, the embodiments of the present specification can be made clearer:
图1示出根据本说明书实施例的跨链系统的示意图;FIG. 1 shows a schematic diagram of a cross-chain system according to an embodiment of the present specification;
图2示出根据本说明书实施例的一种跨链访问控制方法流程图;FIG. 2 shows a flowchart of a cross-chain access control method according to an embodiment of the present specification;
图3示出根据本说明书实施例的一种跨链访问控制方法流程图;FIG. 3 shows a flowchart of a cross-chain access control method according to an embodiment of the present specification;
图4示出根据本说明书实施例的一种跨链访问控制装置400。FIG. 4 shows a cross-chain access control apparatus 400 according to an embodiment of the present specification.
具体实施方式Detailed ways
下面将结合附图描述本说明书实施例。The embodiments of the present specification will be described below with reference to the accompanying drawings.
图1示出根据本说明书实施例的跨链系统的示意图。如图1所示,所述跨链系统包括第一区块链11、中继设备网络12和第二区块链13。其中,所述中继设备网络12中包括多个具有预定连接关系的中继设备,图1仅示意示出第一中继设备121和第二中继设备122,其他以虚线示出的云朵表示,第一中继设备121与第二中继设备122有可能直接连接,或者有可能通过其它中继设备连接。中继设备网络12中的每个中继设备与至少一个区块链连接,每个中继设备中存储有查找表,该查找表记录了预定数目个中继设备与其连接的区块链的对应关系,从而通过中继设备网络12中的多个中继设备,中 继设备网络可与更多个区块链连接。图1中示意示出了,第一区块链11与第一中继设备121连接,第二区块链13与第二中继设备122连接。FIG. 1 shows a schematic diagram of a cross-chain system according to an embodiment of the present specification. As shown in FIG. 1 , the cross-chain system includes a first blockchain 11 , a relay device network 12 and a second blockchain 13 . The relay device network 12 includes a plurality of relay devices with a predetermined connection relationship. FIG. 1 only schematically shows the first relay device 121 and the second relay device 122 , and the other ones are represented by dotted lines. , the first relay device 121 and the second relay device 122 may be directly connected, or may be connected through other relay devices. Each relay device in the relay device network 12 is connected to at least one blockchain, and each relay device stores a look-up table that records the correspondence of a predetermined number of relay devices to the blockchain to which it is connected. Therefore, through the plurality of relay devices in the relay device network 12, the relay device network can be connected with more blockchains. 1 schematically shows that the first blockchain 11 is connected to the first relay device 121 , and the second blockchain 13 is connected to the second relay device 122 .
第二区块链13例如通过中继设备网络12向第一区块链11发送访问请求,该访问请求例如为读取第一区块链11中的数据,或者为调用第一区块链11中的智能合约。具体是,第二区块链13基于查找表将访问请求通过中继设备网络12发送给第一中继设备121,由第一中继设备121基于访问控制表(ACL表)确定该访问请求是否被授权,以确定是否响应于该访问请求访问第一区块链11。For example, the second blockchain 13 sends an access request to the first blockchain 11 through the relay device network 12 , and the access request is, for example, to read data in the first blockchain 11 or to call the first blockchain 11 . smart contracts in . Specifically, the second blockchain 13 sends the access request to the first relay device 121 through the relay device network 12 based on the lookup table, and the first relay device 121 determines whether the access request is based on the access control table (ACL table). is authorized to determine whether to access the first blockchain 11 in response to the access request.
因此,为了保证跨链访问的安全性,如何建立ACL表是关键的部分。如图1所示,在本说明书实施例中,在每个中继设备中还设置有ACL表写入模块,ACL表写入模块中包括身份认证子模块和资源认证子模块。当用户通过其设备向例如第一中继设备121发送ACL表写入请求以设定资源的授权信息时,第一中继设备121中调用ACL表写入模块,首先通过资源认证子模块确定资源的拥有者或被授权者,然后通过身份认证子模块确定该写入请求的发送者是否为所述资源的拥有者或者所述资源的授权者,从而确定是否基于该写入请求对ACL表进行写入。Therefore, in order to ensure the security of cross-chain access, how to establish an ACL table is a key part. As shown in FIG. 1 , in the embodiment of this specification, each relay device is further provided with an ACL table writing module, and the ACL table writing module includes an identity authentication sub-module and a resource authentication sub-module. When the user sends an ACL table write request to, for example, the first relay device 121 through its device to set the authorization information of the resource, the first relay device 121 calls the ACL table write module, and first determines the resource through the resource authentication sub-module The owner or the authorized person, and then determine whether the sender of the write request is the owner of the resource or the authorizer of the resource through the identity authentication sub-module, so as to determine whether to perform the ACL table based on the write request. write.
可以理解,上述参考图1的描述只是示意性的,而不是用于限制本说明书实施例的范围。下面将具体描述上述访问权限控制方法。It can be understood that the above description with reference to FIG. 1 is only illustrative, and is not used to limit the scope of the embodiments of the present specification. The above access authority control method will be specifically described below.
图2示出根据本说明书实施例的一种跨链访问控制方法流程图,所述方法例如由图1中的第一中继设备121执行,所述方法包括以下步骤:步骤S202,接收对ACL表的写入请求及签名,所述签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括第一区块链中的将要授权的资源的标识;步骤S204,确定所述资源的所有者;步骤S206,验证所述签名是否为所述所有者的签名;步骤S208,在验证所述数字签名不是所述所有者的签名的情况中,验证所述签名是否为所述资源的被授权账户的签名;步骤S210,基于所述写入请求对ACL表进行写入。Fig. 2 shows a flow chart of a method for cross-chain access control according to an embodiment of the present specification. For example, the method is executed by the first relay device 121 in Fig. 1. The method includes the following steps: Step S202: The write request and the signature of the table, the signature is the digital signature of the sender of the write request to the write request, and the write request includes the identifier of the resource to be authorized in the first blockchain ; Step S204, determine the owner of the resource; Step S206, verify whether the signature is the signature of the owner; Step S208, verify that the digital signature is not the owner's signature in the situation, verify that all whether the signature is the signature of the authorized account of the resource; step S210, write the ACL table based on the write request.
下文将通过多种实施方式对图2所示方法进行描述。The method shown in FIG. 2 will be described below through various embodiments.
在一种实施方式中,第一区块链中11的资源的所有者通过其设备向第一中继设备121发送对ACL表的写入请求和对该写入请求的数字签名,从而,第一中继设备121执行步骤S202,接收上述资源所有者对ACL表的写入请求及签名。其中,所述数字签名为使用所述写入请求的发送者的账户私钥对所述写入请求的数字签名,所述写入请求中包括第一区块链中的将要授权的特定资源的标识。所述资源例如可以包括第一区块链11中的区块数据、交易数据、智能合约等。相应的,在所述写入请求中可包括区块数据的标识,交易数据的标识或者智能合约的标识。所述区块数据的标识例如包括第一区块链的域名和区块头哈希值或者区块编号等;所述交易数据的标识例如包括第一区块链的域名、交易所在区块的标识和交易编号等;所述智能合约的标识例如包括第一区块链的域名和智能合约的账户等。所述写入请求中例如请求在ACL表中写入特定资源的授权 内容。所述授权内容例如包括被授权使用该特定资源的区块链的域名、被授权的对该特定资源的使用方式等内容。例如,对于智能合约资源,被授权的使用方式包括调用方式,对于区块数据、交易数据等资源,被授权的使用方式包括读取方式,等等。In one embodiment, the owner of the resource 11 in the first blockchain sends a request to write to the ACL table and a digital signature for the write request to the first relay device 121 through his device, so that the first A relay device 121 executes step S202 to receive the above resource owner's write request and signature to the ACL table. Wherein, the digital signature is a digital signature of the write request using the account private key of the sender of the write request, and the write request includes the specific resource to be authorized in the first blockchain. logo. The resources may include, for example, block data, transaction data, smart contracts and the like in the first blockchain 11 . Correspondingly, the write request may include the identifier of the block data, the identifier of the transaction data or the identifier of the smart contract. The identifier of the block data includes, for example, the domain name of the first blockchain, the hash value of the block header or the block number, etc.; the identifier of the transaction data includes, for example, the domain name of the first blockchain, the transaction data of the block. Identification and transaction number, etc.; the identification of the smart contract includes, for example, the domain name of the first blockchain and the account of the smart contract. The write request is, for example, a request to write the authorization content of a specific resource in the ACL table. The authorized content includes, for example, the domain name of the blockchain authorized to use the specific resource, the authorized usage mode of the specific resource, and the like. For example, for smart contract resources, the authorized use methods include calling methods, and for resources such as block data and transaction data, the authorized use methods include reading methods, and so on.
之后,第一中继设备121执行步骤S204,确定资源的所有者。After that, the first relay device 121 executes step S204 to determine the owner of the resource.
第一中继设备121在接收到上述对ACL表的写入请求之后,首先需要确认写入请求中的特定资源的所有者(owner)是谁,以确定该写入请求的发送者是否为所述特定资源的所有者,即确定该发送者是否有权限对ACL表进行写入。因此,第一中继设备121通过其资源认证子模块确定资源的所有者。After receiving the above write request to the ACL table, the first relay device 121 first needs to confirm who is the owner of the specific resource in the write request, so as to determine whether the sender of the write request is the specified resource. Describe the owner of a specific resource, that is, determine whether the sender has permission to write to the ACL table. Therefore, the first relay device 121 determines the owner of the resource through its resource authentication sub-module.
例如,所述特定资源为第一区块链11中部署的智能合约,所述智能合约的账户状态中的所有者字段中记录了该智能合约的所有者的账户地址。从而,所述资源认证子模块可读取所述智能合约的账户状态中的所有者字段,获取所有者的账户地址,并可通过读取所有者的账户的账户状态,获取该所有者的公钥。For example, the specific resource is a smart contract deployed in the first blockchain 11, and the account address of the owner of the smart contract is recorded in the owner field in the account status of the smart contract. Thus, the resource authentication sub-module can read the owner field in the account status of the smart contract to obtain the owner's account address, and can obtain the owner's public account by reading the account status of the owner's account. key.
例如,所述特定资源为第一区块链11中存储的交易数据。对于区块链中的交易数据,不同的区块链中可能对交易数据的所有者有不同的规定,例如,在一种区块链中,交易的交易数据包括交易发送者的存证数据,并且在该区块链中规定交易数据的所有者为交易发送者,在另一种区块链中,区块链中可规定交易的所有者为区块链的所有者。所述资源认证子模块可从第一区块链11中获取对交易数据所有者的规定说明。例如,所述资源认证子模块确定交易数据的所有者为交易的发送者,则所述资源认证子模块从第一区块链11中读取所述交易数据,从而从该交易数据中获取该交易的发送账户,并可从该发送账户的账户状态中获取该发送账户的账户公钥。如果所述资源认证子模块确定交易数据的所有者为第一区块链11的所有者,则资源认证子模块可从域名证书颁发机构获取第一区块链11的域名证书,所述域名证书中包括域名和域名所有者的公钥,以用于明确域名的所有者,从而,资源认证子模块可从该域名证书中获取第一区块链11的所有者的公钥。另外,资源认证子模块在第一次获取第一区块链11的域名证书之后,可将该域名证书存储到第一中继设备121本地,以用于后续对第一区块链11中的资源的认证。For example, the specific resource is transaction data stored in the first blockchain 11 . For the transaction data in the blockchain, different blockchains may have different regulations on the owner of the transaction data. For example, in a blockchain, the transaction data of the transaction includes the transaction sender's certificate data, And in this blockchain, the owner of the transaction data is specified as the transaction sender, and in another blockchain, the owner of the transaction can be specified as the owner of the blockchain in the blockchain. The resource authentication sub-module can obtain the specified description of the owner of the transaction data from the first blockchain 11 . For example, if the resource authentication sub-module determines that the owner of the transaction data is the sender of the transaction, the resource authentication sub-module reads the transaction data from the first blockchain 11, thereby obtaining the transaction data from the transaction data. The sending account of the transaction, and the account public key of the sending account can be obtained from the account status of the sending account. If the resource authentication sub-module determines that the owner of the transaction data is the owner of the first blockchain 11, the resource authentication sub-module can obtain the domain name certificate of the first blockchain 11 from the domain name certificate authority, and the domain name certificate The domain name and the public key of the domain name owner are included in the domain name, so as to identify the owner of the domain name, so that the resource authentication sub-module can obtain the public key of the owner of the first blockchain 11 from the domain name certificate. In addition, after acquiring the domain name certificate of the first blockchain 11 for the first time, the resource authentication sub-module can store the domain name certificate locally in the first relay device 121 for subsequent verification of the domain name certificate in the first blockchain 11 Authentication of resources.
例如,所述特定资源为第一区块链11中的区块数据,通常,区块数据的所有者即为相应区块链的所有者。从而,资源认证子模块可与上文类似地从域名证书颁发机构或者从本地获取第一区块链11的域名证书,从而可从该域名证书中获取第一区块链11的所有者的公钥。For example, the specific resource is block data in the first blockchain 11, and generally, the owner of the block data is the owner of the corresponding blockchain. Therefore, the resource authentication sub-module can obtain the domain name certificate of the first blockchain 11 from the domain name certificate authority or locally, similarly to the above, so as to obtain the public information of the owner of the first blockchain 11 from the domain name certificate. key.
然后,第一中继设备121执行步骤S206,通过身份认证子模块确定所述写入请求的签名是否为所述特定资源的所有者的签名。具体是,身份认证子模块在获取特定资源的所有者的公钥之后,使用公钥对所述写入请求的数字签名进行解密,并计算写入请求的哈希值,比较解密获取的数据与所述哈希值是否相同。如果相同,则可确定所述写入请 求的签名是所述特定资源的所有者的签名,从而第一中继设备121可执行步骤S210,通过ACL表写入模块对所述ACL表进行写入。如果不同,则第一中继设备121将不会基于写入请求对ACL表进行写入,从而通过控制对ACL表的写入提高了第一区块链11的数据安全性。表1示出与第一区块链11对应的ACL表的示意图。Then, the first relay device 121 executes step S206 to determine whether the signature of the write request is the signature of the owner of the specific resource through the identity authentication sub-module. Specifically, after obtaining the public key of the owner of the specific resource, the identity authentication sub-module uses the public key to decrypt the digital signature of the write request, calculates the hash value of the write request, and compares the decrypted data with the whether the hash values are the same. If the same, it can be determined that the signature of the write request is the signature of the owner of the specific resource, so that the first relay device 121 can perform step S210, and write the ACL table through the ACL table writing module . If not, the first relay device 121 will not write to the ACL table based on the write request, thereby improving the data security of the first blockchain 11 by controlling the writing to the ACL table. Table 1 shows a schematic diagram of the ACL table corresponding to the first blockchain 11 .
表1Table 1
资源resource 区块链标识Blockchain ID 访问方式interview method
第一合约账户The first contract account 域名2、域名4Domain 2, Domain 4 调用transfer
区块p,交易qblock p, transaction q 域名2Domain 2 读取read
区块mblock m 域名3Domain 3 读取read
如表1中所示,其中,“资源”一栏用于记录第一区块链11中的资源的标识,该资源例如包括区块数据、交易数据、智能合约等,“区块链标识”一栏用于记录被授权使用相应资源的区块链的标识,在表1中以区块链的域名作为区块链的标识,“访问方式”一栏用于记录相应资源的被授权的访问方式,该访问方式包括对合约的调用和对数据的读取等。具体是,假设第二区块链13的域名为域名2,则表1中记录了,对第二区块链13授权对第一区块链11中的第一合约的调用权限、以及对第一区块链11中的区块p中的交易q的读取权限。As shown in Table 1, the column "Resource" is used to record the identifier of the resource in the first blockchain 11, and the resource includes, for example, block data, transaction data, smart contracts, etc., "Blockchain identifier" A column is used to record the identity of the blockchain that is authorized to use the corresponding resource. In Table 1, the domain name of the blockchain is used as the identity of the blockchain, and the column "Access Mode" is used to record the authorized access to the corresponding resource. The access method includes calling the contract and reading the data. Specifically, assuming that the domain name of the second blockchain 13 is domain name 2, it is recorded in Table 1 that the second blockchain 13 is authorized to call the first contract in the first blockchain 11 and the Read access to transaction q in block p in a blockchain 11.
可以理解,表1所示的访问控制表仅仅是示意性的,而不是限制性的。例如,区块链标识一栏中不限于记录区块链的域名,而可以记录其它用于唯一标识区块链的区块链标识,另外,访问控制表中不限于包括表1中所示的3栏,而是可以仅记录其中的一栏或两栏,例如,访问控制表中仅包括表1中的“资源”栏,这表示,对于所有的区块链都授权对第一合约的调用权限、对区块p中交易q、和区块m的读取权限。It can be understood that the access control list shown in Table 1 is only illustrative and not restrictive. For example, the block chain identifier column is not limited to recording the domain name of the block chain, but other block chain identifiers used to uniquely identify the block chain can be recorded. In addition, the access control table is not limited to including those shown in Table 1. 3 columns, but only one or two of them can be recorded, for example, only the "resource" column in table 1 is included in the access control table, which means that the call to the first contract is authorized for all blockchains Permissions, read access to transactions q in block p, and block m.
在第一中继设备121对该ACL表写入对特定资源的访问权限之后,当第一区块链11的链下设备(例如第二区块链13的节点设备)通过第一中继设备121访问第一区块链11中的所述特定资源时,第一中继设备121将基于该ACL表中的与该特定资源对应的权限设置进行访问控制。After the first relay device 121 writes the access authority to the specific resource in the ACL table, when the off-chain device of the first blockchain 11 (for example, the node device of the second blockchain 13 ) passes through the first relay device When 121 accesses the specific resource in the first blockchain 11, the first relay device 121 will perform access control based on the permission setting corresponding to the specific resource in the ACL table.
在一种实施方式中,所述写入请求中例如请求在ACL表中写入被授权对特定资源设置访问权限的账户标识,该账户标识例如为账户公钥或账户地址等。在该情况中,第一中继设备121在通过资源认证子模块和身份认证子模块确定所述写入请求的签名为所述特定资源的所有者的签名之后,在所述ACL表中写入对特定资源授权的账户标识。表2示出该实施方式中ACL表的示意图。In an implementation manner, the write request is, for example, a request to write an account identifier authorized to set access rights to a specific resource in the ACL table, where the account identifier is, for example, an account public key or an account address. In this case, after determining that the signature of the write request is the signature of the owner of the specific resource through the resource authentication sub-module and the identity authentication sub-module, the first relay device 121 writes in the ACL table The account ID that authorizes a specific resource. Table 2 shows a schematic diagram of the ACL table in this embodiment.
表2Table 2
资源resource 区块链标识Blockchain ID 访问方式interview method 被授权帐户Authorized account
第一合约帐户first contract account    abc456、cde352abc456, cde352
区块p,交易qblock p, transaction q       Dec678、ebc426Dec678, ebc426
在如表2所示的ACL表中,与表1不同的是,还包括被授权账户一栏,该被授权账户用于记录被授权在该ACL表中设置资源的访问权限的账户的账户公钥(表2中以abc456等示意示出)。可以理解,在表2中的被授权账户一栏不限于记录账户公钥,也可以记录账户地址。In the ACL table shown in Table 2, different from Table 1, it also includes an authorized account column, and the authorized account is used to record the account publicity of the account authorized to set the access authority of the resource in the ACL table. key (shown schematically as abc456 in Table 2). It can be understood that the column of authorized accounts in Table 2 is not limited to recording the account public key, but can also record the account address.
在另一种实施方式中,第一中继设备121在执行步骤S206确定所述写入请求的签名不是资源所有者的签名之后,可执行步骤S208,确定所述签名是否为被授权账户的签名。具体是,第一中继设备121通过ACL表写入模块从ACL表中读取特定资源的被授权账户的账户公钥,使用该公钥对签名进行验证,从而确定所述签名是否为被授权账户的签名。在ACL表中记录了被授权账户的账户地址的情况中,第一中继设备121中的ACL表写入模块可基于该账户地址获取该账户对应的公钥,并使用公钥对签名进行验证。In another implementation manner, after performing step S206 to determine that the signature of the write request is not the signature of the resource owner, the first relay device 121 may perform step S208 to determine whether the signature is the signature of an authorized account . Specifically, the first relay device 121 reads the account public key of the authorized account of the specific resource from the ACL table through the ACL table writing module, and uses the public key to verify the signature, thereby determining whether the signature is authorized The signature of the account. In the case where the account address of the authorized account is recorded in the ACL table, the ACL table writing module in the first relay device 121 can obtain the public key corresponding to the account based on the account address, and use the public key to verify the signature .
如果ACL表写入模块确定所述签名是被授权账户的签名,例如,所述写入请求中包括对第一合约账户的访问权限的限定,则第一中继设备121基于所述写入请求通过ACL表写入模块在ACL表中写入如表1所示的与第一合约账户关联的区块链标识、访问方式等内容。如果通过执行步骤S208确定所述签名不是被授权账户的签名,则结束方法执行流程,不再对ACL表进行写入。If the ACL table writing module determines that the signature is the signature of an authorized account, for example, the write request includes a restriction on the access authority to the first contract account, the first relay device 121 based on the write request Through the ACL table writing module, the block chain identifier, access method and other contents associated with the first contract account as shown in Table 1 are written in the ACL table. If it is determined by performing step S208 that the signature is not the signature of the authorized account, the method execution flow ends, and the ACL table is not written.
图3示出根据本说明书实施例的一种跨链访问控制方法流程图,所述方法例如由图1中的第一中继设备121执行,所述方法包括以下步骤S302-S310。FIG. 3 shows a flowchart of a method for cross-chain access control according to an embodiment of the present specification. The method is executed by, for example, the first relay device 121 in FIG. 1 , and the method includes the following steps S302-S310.
在该实施例中,所述写入请求包括签名指示字段,用于指示所述写入请求的签名是资源所有者的签名还是资源被授权账户的签名。第一中继设备121首先执行步骤S302,从发送者设备接收到对ACL表的写入请求及发送者对该写入请求的数字签名。之后,第一中继设备121执行步骤S304,在所述写入请求中读取签名指示字段。如果该签名指示字段指示所述签名为资源所有者的标识,即,所述写入请求由所述资源的所有者发送,则第一中继设备121与上文类似地执行步骤S306,确定资源的所有者,和步骤S308,确定所述签名是否为所述所有者的签名,以确定是否执行步骤S312,即确定是否对ACL表进行写入。如果该签名指示字段指示所述签名为被授权账户的签名,即,所述写入请求由被授权账户发送,则第一中继设备121与上文类似地执行步骤S310,以确定所述签名是否为被授权账户的签名,从而确定是否对ACL表进行写入。In this embodiment, the write request includes a signature indication field, which is used to indicate whether the signature of the write request is the signature of the resource owner or the signature of the resource authorized account. The first relay device 121 first executes step S302, and receives a write request to the ACL table and the sender's digital signature for the write request from the sender device. After that, the first relay device 121 executes step S304, and reads the signature indication field in the write request. If the signature indication field indicates that the signature is the identification of the resource owner, that is, the write request is sent by the owner of the resource, the first relay device 121 performs step S306 similarly to the above to determine the resource and in step S308, it is determined whether the signature is the signature of the owner, to determine whether to execute step S312, that is, to determine whether to write the ACL table. If the signature indication field indicates that the signature is the signature of an authorized account, that is, the write request is sent by an authorized account, the first relay device 121 performs step S310 similarly to the above to determine the signature Whether it is the signature of the authorized account to determine whether to write to the ACL table.
用于执行上述方法的第一中继设备121可以为可信设备,或者可以包括可信执行环 境(TEE),并在TEE中执行上述方法。写入请求的发送者(即资源所有者或者资源的被授权者)在通过其设备向第一中继设备121发送写入请求之前可首先对第一中继设备121中的TEE进行验证。具体是,发送者设备可向TEE发送验证请求。TEE在接收所述验证请求之后,基于其内部机制生成认证信息,并将该认证信息及TEE的硬件公钥发送给发送者设备。所述认证信息例如包括所述TEE的签名信息、硬件信息和软件信息等。其中,所述签名信息例如通过TEE的硬件密钥生成;所述硬件信息例如包括,各种硬件的指标,比如CPU主频,内存容量等等;所述软件信息包括各个程序的代码哈希值、代码名称、版本、运行日志等。如本领域技术人员所知,TEE可通过内存硬件执行对其中运行程序的“测量”,例如获取该程序的代码哈希值、该程序在特定执行点的内存占有的哈希值等等,并在所述认证信息中包括对所述程序的“测量”信息,由于该“测量”信息由该TEE自身实体(内存硬件)执行,而不涉及任何软件、操作系统,因此是真实可信的。发送者设备在接收到所述认证信息之后,可把所述认证信息发送给TEE的远程认证服务器,从而从所述服务器接收到对所述TEE的验证结果。所述验证结果包括所述TEE的身份验证、及对所述TEE内部执行程序的验证等等。从而,发送者设备基于该验证结果可确定TEE是可信的,TEE的处理结果是可信的。The first relay device 121 for executing the above method may be a trusted device, or may include a Trusted Execution Environment (TEE), and execute the above method in the TEE. The sender of the write request (ie the resource owner or the authorized person of the resource) may first authenticate the TEE in the first relay device 121 before sending the write request to the first relay device 121 through its device. Specifically, the sender device may send an authentication request to the TEE. After receiving the verification request, the TEE generates authentication information based on its internal mechanism, and sends the authentication information and the hardware public key of the TEE to the sender device. The authentication information includes, for example, signature information, hardware information, software information, and the like of the TEE. Wherein, the signature information is generated by, for example, the hardware key of the TEE; the hardware information includes, for example, various hardware indicators, such as CPU frequency, memory capacity, etc.; the software information includes the code hash value of each program , code name, version, run log, etc. As is known to those skilled in the art, a TEE can perform "measurements" of a program running in it through memory hardware, such as obtaining a code hash of the program, a hash of the program's memory occupancy at a particular point of execution, etc., and The authentication information includes "measurement" information for the program, which is authentic and credible because the "measurement" information is executed by the TEE's own entity (memory hardware) without involving any software or operating system. After receiving the authentication information, the sender device may send the authentication information to the remote authentication server of the TEE, so as to receive the verification result of the TEE from the server. The verification result includes the identity verification of the TEE, the verification of the internal execution program of the TEE, and the like. Therefore, the sender device can determine that the TEE is authentic and the processing result of the TEE is authentic based on the verification result.
当例如第二区块链13通过中继设备网络12向第一区块链11发送资源访问请求时,第一中继设备121可基于与第一区块链11对应的ACL表对该资源访问请求进行验证,以确定第二区块链13是否具备对所要求的资源的访问权限,并在验证通过之后,使用TEE私钥对该资源访问请求进行签名,并将该资源访问请求及TEE签名提供给第一区块链11。第一区块链11通过预先获取的TEE公钥验证该TEE签名,如果验证通过,可确定该资源访问请求已经经过第一中继设备121的访问权限认证,从而处理该资源访问请求。When, for example, the second blockchain 13 sends a resource access request to the first blockchain 11 through the relay device network 12 , the first relay device 121 can access the resource based on the ACL table corresponding to the first blockchain 11 Request verification to determine whether the second blockchain 13 has access rights to the required resources, and after the verification is passed, use the TEE private key to sign the resource access request, and sign the resource access request and TEE Provided to the first blockchain 11. The first blockchain 11 verifies the TEE signature through the pre-obtained TEE public key, and if the verification passes, it can be determined that the resource access request has been authenticated by the access authority of the first relay device 121, so as to process the resource access request.
图4示出根据本说明书实施例的一种跨链访问控制装置400,所述装置400部署于中继设备,所述中继设备与第一区块链连接,所述中继设备中预设有与所述第一区块链对应的访问控制表,所述装置400包括:接收单元41,配置为,接收对所述访问控制表的写入请求及数字签名,其中,所述数字签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括所述第一区块链中的资源的标识和对所述资源的授权信息;获取单元42,配置为,基于所述资源的标识获取用于验证所述数字签名的公钥;验证单元43,配置为,使用所述公钥对所述数字签名进行验证;写入单元44,配置为,在验证通过的情况中,在所述访问控制表中写入对所述资源的授权信息。FIG. 4 shows a cross-chain access control apparatus 400 according to an embodiment of the present specification. The apparatus 400 is deployed in a relay device, the relay device is connected to the first blockchain, and the relay device is preset There is an access control table corresponding to the first blockchain, and the apparatus 400 includes: a receiving unit 41, configured to receive a write request and a digital signature for the access control table, wherein the digital signature is the digital signature of the write request by the sender of the write request, where the write request includes the identifier of the resource in the first blockchain and the authorization information for the resource; the obtaining unit 42, is configured to obtain a public key for verifying the digital signature based on the identifier of the resource; the verification unit 43 is configured to use the public key to verify the digital signature; the writing unit 44 is configured to: In the case of passing the verification, the authorization information for the resource is written in the access control table.
在一种实施方式中,所述获取单元42包括,确定子单元421,配置为,基于所述资源的标识确定所述资源的所有者,第一获取子单元422,配置为,获取所述所有者的公钥。In one embodiment, the obtaining unit 42 includes a determining subunit 421 configured to determine the owner of the resource based on the identifier of the resource, and the first obtaining subunit 422 is configured to obtain all the resources the public key of the person.
在一种实施方式中,所述资源的标识为智能合约的账户地址,所述确定子单元421还配置为,从所述智能合约的账户状态中读取所述智能合约的所有者的账户地址。In one embodiment, the identifier of the resource is the account address of the smart contract, and the determining subunit 421 is further configured to read the account address of the owner of the smart contract from the account status of the smart contract .
在一种实施方式中,所述资源的标识包括第一交易的标识,其中,所述确定子单元421还配置为,基于第一交易的标识从第一区块链中读取发送所述第一交易的账户地址。In one embodiment, the identifier of the resource includes an identifier of the first transaction, wherein the determining subunit 421 is further configured to read and send the first transaction from the first blockchain based on the identifier of the first transaction. An account address for the transaction.
在一种实施方式中,所述资源的标识包括第一区块的标识,其中,所述确定子单元421还配置为,基于第一区块的标识中包括的第一区块链的域名,获取所述第一区块链的域名证书。In one embodiment, the identifier of the resource includes the identifier of the first block, wherein the determining subunit 421 is further configured to, based on the domain name of the first blockchain included in the identifier of the first block, Obtain the domain name certificate of the first blockchain.
在一种实施方式中,所述写入请求中包括所述资源的被授权账户的标识,所述被授权账户被授权在所述访问控制表写入所述资源的授权信息,其中,所述写入单元44还配置为,在所述访问控制表中写入所述资源的被授权账户的标识。In one embodiment, the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the authorization information of the resource in the access control table, wherein the The writing unit 44 is further configured to write the identifier of the authorized account of the resource in the access control table.
在一种实施方式中,所述获取单元42还包括,读取子单元423,配置为,在所述访问控制表读取相对于所述资源被授权的账户的标识,第二获取子单元424,配置为,基于所述被授权的账户的标识获取所述被授权的账户的公钥。In one embodiment, the obtaining unit 42 further includes a reading subunit 423 configured to read the identifier of the account authorized with respect to the resource in the access control table, and the second obtaining subunit 424 , configured to obtain the public key of the authorized account based on the identity of the authorized account.
在一种实施方式中,所述中继设备中包括TEE,所述装置部署于所述TEE中。In an embodiment, the relay device includes a TEE, and the apparatus is deployed in the TEE.
本说明书另一方面提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行上述任一项方法。Another aspect of the present specification provides a computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is made to execute any one of the above methods.
本说明书另一方面提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现上述任一项方法。Another aspect of the present specification provides a computing device, including a memory and a processor, where executable code is stored in the memory, and when the processor executes the executable code, any one of the foregoing methods is implemented.
通过根据本说明书实施例的跨链访问控制方案,使得只有资源的所有者或者由资源所有者授权的账户才可以在ACL表中设置该资源的访问权限,从而保障区块链的数据安全性,通过在中继设备中由TEE执行根据本说明书实施例的方案,进一步保障了数据安全性。Through the cross-chain access control scheme according to the embodiment of this specification, only the owner of the resource or the account authorized by the resource owner can set the access authority of the resource in the ACL table, thereby ensuring the data security of the blockchain, By executing the solution according to the embodiment of the present specification by the TEE in the relay device, data security is further guaranteed.
需要理解,本文中的“第一”,“第二”等描述,仅仅为了描述的简单而对相似概念进行区分,并不具有其他限定作用。It should be understood that the descriptions of "first", "second" and so on herein are only for the simplicity of description to distinguish similar concepts, and have no other limiting effect.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for related parts, please refer to the partial descriptions of the method embodiments.
上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of the present specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. Additionally, the processes depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
本领域普通技术人员应该还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了 清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。其中,软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。Those of ordinary skill in the art should further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two, in order to clearly illustrate the hardware and software interchangeability, the components and steps of each example have been generally described in terms of functions in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Persons of ordinary skill in the art may use different methods of implementing the described functionality for each particular application, but such implementations should not be considered beyond the scope of this application. Wherein, the software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or technical fields in any other form of storage medium known in the art.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (18)

  1. 一种跨链访问控制方法,所述方法由中继设备执行,所述中继设备与第一区块链连接,所述中继设备中预设有与所述第一区块链对应的访问控制表,所述方法包括:A cross-chain access control method, the method is performed by a relay device, the relay device is connected to a first blockchain, and an access corresponding to the first blockchain is preset in the relay device The control table, the method includes:
    接收对所述访问控制表的写入请求及数字签名,其中,所述数字签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括所述第一区块链中的资源的标识和对所述资源的授权信息;Receive a write request to the access control table and a digital signature, wherein the digital signature is a digital signature of the write request by the sender of the write request, and the write request includes the first Identification of a resource in the blockchain and authorization information for the resource;
    基于所述资源的标识获取用于验证所述数字签名的公钥;Obtaining the public key for verifying the digital signature based on the identifier of the resource;
    使用所述公钥对所述数字签名进行验证;verifying the digital signature using the public key;
    在验证通过的情况中,在所述访问控制表中写入对所述资源的授权信息。In the case of passing the verification, the authorization information for the resource is written in the access control table.
  2. 根据权利要求1所述的方法,其中,基于所述资源的标识获取用于验证所述数字签名的公钥包括,基于所述资源的标识确定所述资源的所有者,获取所述所有者的公钥。The method according to claim 1, wherein obtaining the public key for verifying the digital signature based on the identifier of the resource comprises determining the owner of the resource based on the identifier of the resource, obtaining the owner's public key.
  3. 根据权利要求2所述的方法,其中,所述资源的标识为智能合约的账户地址,基于所述资源的标识确定所述资源的所有者包括,从所述智能合约的账户状态中读取所述智能合约的所有者的账户地址。The method according to claim 2, wherein the identifier of the resource is an account address of a smart contract, and determining the owner of the resource based on the identifier of the resource comprises reading all the information from the account state of the smart contract. The account address of the owner of the smart contract.
  4. 根据权利要求2所述的方法,其中,所述资源的标识包括第一交易的标识,其中,基于所述资源的标识确定所述资源的所有者包括,基于第一交易的标识从第一区块链中读取发送所述第一交易的账户地址。3. The method of claim 2, wherein the identification of the resource includes an identification of a first transaction, wherein determining the owner of the resource based on the identification of the resource The address of the account that sent the first transaction is read in the block chain.
  5. 根据权利要求2所述的方法,其中,所述资源的标识包括第一区块的标识,其中,基于所述资源的标识确定所述资源的所有者包括,基于第一区块的标识中包括的第一区块链的域名,获取所述第一区块链的域名证书。The method according to claim 2, wherein the identifier of the resource includes an identifier of a first block, wherein determining the owner of the resource based on the identifier of the resource includes, and the identifier based on the first block includes the domain name of the first blockchain, and obtain the domain name certificate of the first blockchain.
  6. 根据权利要求1-5任一项所述的方法,所述写入请求中包括所述资源的被授权账户的标识,所述被授权账户被授权在所述访问控制表写入所述资源的授权信息,其中,在所述访问控制表中写入对所述资源的授权信息包括,在所述访问控制表中写入所述资源的被授权账户的标识。The method according to any one of claims 1-5, wherein the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the resource in the access control table. Authorization information, wherein writing the authorization information for the resource in the access control table includes writing the identifier of the authorized account of the resource in the access control table.
  7. 根据权利要求1所述的方法,其中,基于所述资源的标识获取用于验证所述数字签名的公钥包括,在所述访问控制表读取所述被授权账户的标识,基于所述被授权账户的标识获取所述被授权账户的公钥。The method according to claim 1, wherein obtaining the public key for verifying the digital signature based on the identification of the resource comprises reading the identification of the authorized account in the access control table, and based on the identification of the authorized account The identification of the authorized account obtains the public key of the authorized account.
  8. 根据权利要求1所述的方法,其中,所述中继设备中包括TEE,所述方法由所述TEE执行。The method of claim 1, wherein the relay device includes a TEE, and the method is performed by the TEE.
  9. 一种跨链访问控制装置,所述装置部署于中继设备,所述中继设备与第一区块链连接,所述中继设备中预设有与所述第一区块链对应的访问控制表,所述装置包括:A cross-chain access control device, the device is deployed in a relay device, the relay device is connected to a first blockchain, and an access corresponding to the first blockchain is preset in the relay device A control table, the device includes:
    接收单元,配置为,接收对所述访问控制表的写入请求及数字签名,其中,所述数字签名为所述写入请求的发送者对所述写入请求的数字签名,所述写入请求中包括所述第一区块链中的资源的标识和对所述资源的授权信息;a receiving unit, configured to receive a write request to the access control table and a digital signature, wherein the digital signature is a digital signature of the sender of the write request on the write request, and the write request The request includes the identifier of the resource in the first blockchain and the authorization information for the resource;
    获取单元,配置为,基于所述资源的标识获取用于验证所述数字签名的公钥;an obtaining unit, configured to obtain a public key for verifying the digital signature based on the identifier of the resource;
    验证单元,配置为,使用所述公钥对所述数字签名进行验证;a verification unit, configured to use the public key to verify the digital signature;
    写入单元,配置为,在验证通过的情况中,在所述访问控制表中写入对所述资源的授权信息。The writing unit is configured to, in the case of passing the verification, write the authorization information for the resource in the access control table.
  10. 根据权利要求9所述的装置,其中,所述获取单元包括,确定子单元,配置为,基于所述资源的标识确定所述资源的所有者,第一获取子单元,配置为,获取所述所有者的公钥。The apparatus according to claim 9, wherein the obtaining unit comprises a determining subunit configured to determine the owner of the resource based on the identifier of the resource, and a first obtaining subunit configured to obtain the resource The owner's public key.
  11. 根据权利要求10所述的装置,其中,所述资源的标识为智能合约的账户地址,所述确定子单元还配置为,从所述智能合约的账户状态中读取所述智能合约的所有者的账户地址。The apparatus according to claim 10, wherein the identifier of the resource is an account address of a smart contract, and the determining subunit is further configured to read the owner of the smart contract from the account state of the smart contract account address.
  12. 根据权利要求10所述的装置,其中,所述资源的标识包括第一交易的标识,其中,所述确定子单元还配置为,基于第一交易的标识从第一区块链中读取发送所述第一交易的账户地址。The apparatus according to claim 10, wherein the identifier of the resource includes an identifier of the first transaction, wherein the determining subunit is further configured to read and send from the first blockchain based on the identifier of the first transaction The account address of the first transaction.
  13. 根据权利要求10所述的装置,其中,所述资源的标识包括第一区块的标识,其中,所述确定子单元还配置为,基于第一区块的标识中包括的第一区块链的域名,获取所述第一区块链的域名证书。The apparatus according to claim 10, wherein the identifier of the resource includes an identifier of a first block, wherein the determining subunit is further configured to, based on the first blockchain included in the identifier of the first block domain name, and obtain the domain name certificate of the first blockchain.
  14. 根据权利要求9-13中任一权利要求所述的装置,所述写入请求中包括所述资源的被授权账户的标识,所述被授权账户被授权在所述访问控制表写入所述资源的授权信息,其中,所述写入单元还配置为,在所述访问控制表中写入所述资源的被授权账户的标识。The apparatus according to any one of claims 9-13, wherein the write request includes an identifier of an authorized account of the resource, and the authorized account is authorized to write the The authorization information of the resource, wherein the writing unit is further configured to write the identifier of the authorized account of the resource in the access control table.
  15. 根据权利要求9所述的装置,其中,所述获取单元还包括,读取子单元,配置为,在所述访问控制表读取所述被授权账户的标识,第二获取子单元,配置为,基于所述被授权账户的标识获取所述被授权账户的公钥。The apparatus according to claim 9, wherein the obtaining unit further comprises a reading subunit, configured to read the identifier of the authorized account in the access control table, and a second obtaining subunit, configured as , and obtain the public key of the authorized account based on the identity of the authorized account.
  16. 根据权利要求9所述的装置,其中,所述中继设备中包括TEE,所述装置部署于所述TEE中。The apparatus of claim 9, wherein the relay device includes a TEE, and the apparatus is deployed in the TEE.
  17. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-8中任一项的所述的方法。A computer-readable storage medium on which a computer program is stored, when the computer program is executed in a computer, the computer is made to perform the method of any one of claims 1-8.
  18. 一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-8中任一项所述的方法。A computing device includes a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method of any one of claims 1-8 is implemented.
PCT/CN2021/133097 2021-03-30 2021-11-25 Cross-chain access control method, and apparatus WO2022205963A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110339818.6A CN112800404B (en) 2021-03-30 2021-03-30 Cross-link access control method and device
CN202110339818.6 2021-03-30

Publications (1)

Publication Number Publication Date
WO2022205963A1 true WO2022205963A1 (en) 2022-10-06

Family

ID=75815986

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/133097 WO2022205963A1 (en) 2021-03-30 2021-11-25 Cross-chain access control method, and apparatus

Country Status (2)

Country Link
CN (2) CN112800404B (en)
WO (1) WO2022205963A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800404B (en) * 2021-03-30 2021-07-23 支付宝(杭州)信息技术有限公司 Cross-link access control method and device
CN112769871B (en) * 2021-03-30 2021-11-19 支付宝(杭州)信息技术有限公司 Cross-chain access control method and device
CN114546271B (en) * 2022-02-18 2024-02-06 蚂蚁区块链科技(上海)有限公司 Data read-write method, device and system based on block chain
CN114448646A (en) * 2022-03-22 2022-05-06 深圳壹账通智能科技有限公司 Method, system, equipment and medium for managing authority of cross-chain transaction
CN115378942B (en) * 2022-10-10 2022-12-20 北京理工大学 Information cross-chain interaction method and interaction device for block chain

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008686A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 The data processing method of transregional piece of chain, device, client, block catenary system
CN110049066A (en) * 2019-05-23 2019-07-23 中国科学院软件研究所 A kind of resource access authorization method based on digital signature and block chain
US20200177388A1 (en) * 2019-06-28 2020-06-04 Alibaba Group Holding Limited Cross-blockchain resource transmission
CN112800404A (en) * 2021-03-30 2021-05-14 支付宝(杭州)信息技术有限公司 Cross-link access control method and device

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10867058B2 (en) * 2017-12-29 2020-12-15 Niall Joseph Duffy Method and system for protecting secure computer systems from insider threats
CN109088857B (en) * 2018-07-12 2020-12-25 中国电子科技集团公司第十五研究所 Distributed authorization management method in scene of Internet of things
BR112019008000B1 (en) * 2018-11-16 2022-03-15 Advanced New Technologies Co., Ltd Computer-implemented method for authenticating a domain name, computer-implemented method, non-transient computer-readable medium, and system for implementing a method
CN110443704B (en) * 2019-06-28 2021-02-19 创新先进技术有限公司 Method and device for sending resources in cross-link mode
CN110751475A (en) * 2019-10-24 2020-02-04 杭州趣链科技有限公司 Cross-chain method, system, equipment and storage medium for blockchain transaction
CN111445328A (en) * 2020-03-16 2020-07-24 西安交通大学 Cross-link gateway interaction system and method and supply chain data management method
CN112003889B (en) * 2020-07-10 2022-11-08 南京邮电大学 Distributed cross-link system and cross-link information interaction and system access control method
CN112381651A (en) * 2020-11-19 2021-02-19 深圳前海微众银行股份有限公司 Block chain cross-chain transaction method and device based on Internet of things
CN112543105B (en) * 2020-11-26 2022-11-29 齐鲁工业大学 Complete access control method based on roles under intelligent contract
CN112508560A (en) * 2020-12-01 2021-03-16 浙商银行股份有限公司 Block chain cross-chain identity authentication and authority control method and device and computer equipment
CN112508578B (en) * 2021-02-04 2021-06-04 支付宝(杭州)信息技术有限公司 Resource transfer request verification and sending method and device based on block chain

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008686A (en) * 2018-11-16 2019-07-12 阿里巴巴集团控股有限公司 The data processing method of transregional piece of chain, device, client, block catenary system
CN110049066A (en) * 2019-05-23 2019-07-23 中国科学院软件研究所 A kind of resource access authorization method based on digital signature and block chain
US20200177388A1 (en) * 2019-06-28 2020-06-04 Alibaba Group Holding Limited Cross-blockchain resource transmission
CN112800404A (en) * 2021-03-30 2021-05-14 支付宝(杭州)信息技术有限公司 Cross-link access control method and device
CN113656780A (en) * 2021-03-30 2021-11-16 支付宝(杭州)信息技术有限公司 Cross-link access control method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YE SHAOJIE, WANG XIAO-YI;XU CAI-CHAO;SUN JIAN-LING: "BitXHub:Side-relay Chain Based Heterogeneous Blockchain Interoperable Platform", COMPUTER SCIENCE, 15 June 2020 (2020-06-15), pages 294 - 302, XP055971895, DOI: 10.11896/jsjkx.191100055 *

Also Published As

Publication number Publication date
CN112800404B (en) 2021-07-23
CN113656780A (en) 2021-11-16
CN113656780B (en) 2023-12-19
CN112800404A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
WO2022205963A1 (en) Cross-chain access control method, and apparatus
US11171782B2 (en) Identity and electronic signature verification in blockchain
US20210351931A1 (en) System and method for securely processing an electronic identity
CN111049825B (en) Secure multi-party computing method and system based on trusted execution environment
EP3905078A1 (en) Identity verification method and system therefor
JP6574168B2 (en) Terminal identification method, and method, system, and apparatus for registering machine identification code
US20190333031A1 (en) System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment
US9064129B2 (en) Managing data
JP2022545627A (en) Decentralized data authentication
CN111723383A (en) Data storage and verification method and device
CN111160909B (en) Hidden static supervision system and method for blockchain supply chain transaction
CN113169866A (en) Techniques to prevent collusion using simultaneous key distribution
US20220329446A1 (en) Enhanced asset management using an electronic ledger
US20140157368A1 (en) Software authentication
WO2020173019A1 (en) Access certificate verification method and device, computer equipment and storage medium
WO2022205965A1 (en) Cross-chain access control method and apparatus
CN113472521A (en) Block chain-based real-name digital identity management method, signature device and verification device
KR101890584B1 (en) Method for providing certificate service based on m of n multiple signatures and server using the same
US20160335453A1 (en) Managing Data
KR101849908B1 (en) Method for providing certificate service based on m of n multiple signatures and server using the same
US11729159B2 (en) System security infrastructure facilitating protecting against fraudulent use of individual identity credentials
CN114978677A (en) Asset access control method, device, electronic equipment and computer readable medium
KR20180041052A (en) Method for providing certificate service based on m of n multiple signatures and server using the same
CN111818094B (en) Identity registration method, device and equipment
CN112699360B (en) Hardware anti-counterfeiting method and device, readable storage medium and electronic equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21934599

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21934599

Country of ref document: EP

Kind code of ref document: A1