CN108123936A - A kind of access control method and system based on block chain technology - Google Patents

A kind of access control method and system based on block chain technology Download PDF

Info

Publication number
CN108123936A
CN108123936A CN201711326186.XA CN201711326186A CN108123936A CN 108123936 A CN108123936 A CN 108123936A CN 201711326186 A CN201711326186 A CN 201711326186A CN 108123936 A CN108123936 A CN 108123936A
Authority
CN
China
Prior art keywords
access
strategy
attribute
policy
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711326186.XA
Other languages
Chinese (zh)
Other versions
CN108123936B (en
Inventor
朱岩
尹昊
秦瑶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology Beijing USTB
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN201711326186.XA priority Critical patent/CN108123936B/en
Publication of CN108123936A publication Critical patent/CN108123936A/en
Application granted granted Critical
Publication of CN108123936B publication Critical patent/CN108123936B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2255Hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Accounting & Taxation (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Databases & Information Systems (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Block chain technology is combined by a kind of access control method and system based on block chain technology, this method with attribute base access control, including:Object attribute enters chain, and using strategy as foundation, the decision process of attribute and strategy is bundled on all block chain nodes.Access mandate is changed into distribution from centralization, by the common recognition mechanism of block chain to realize the consistency check to judging result in the whole network, and the Authorized operation for accessing record transaction is for good and all recorded on block chain.This method has the characteristics that anti-single point failure, authorization are flexible, accessing border, accurate, record can audit.The present invention, which is suitable for enterprise, government etc., has data-privacy protection demand and the running environment to cooperate based on block platform chain realization multiple-limb mechanism; manage the access rights of user in system with can accomplishing dynamic scalable; and the rights management of fine granularity is realized around strategy and attribute, it has important practical significance to the information system security under protection distributed network environment.

Description

Access control method and system based on block chain technology
Technical Field
The invention relates to a block chain construction-based security access method. The access control method and system based on the block chain technology form the access control method and system based on the existing attribute-based access control architecture and the existing characteristics of a block chain platform on a block chain.
Background
The blockchain technology attracts people's extensive attention due to characteristics of decentralization, non-falsification, transparent data disclosure and the like, is applied to various fields and tries to solve the problem of difficult estimation loss caused by lack of trust, and the first application bitcoin of the blockchain technology shows the potential and feasibility of the blockchain technology in years of experiment and stable operation. The blockchain is essentially a distributed accounting system, and multiple nodes in the network adopt a peer-to-peer technology to operate and maintain together, and each node holds a backup of the accounting book. In the Block chain, the minimum unit formed by a series of data structures is called Transaction (Transaction), which represents the trigger of a system event, and the Transaction passing the verification in a period of time is packaged into a Block (Block), which represents that the Transaction in the period of time is confirmed. The block chain technology utilizes the collision resistance of a hash function, a hash pointer is arranged in a data structure of a block, a series of blocks are connected in series according to a time sequence to form a chain structure, a consistency algorithm is run on all nodes to generate a new block in a consensus mode, and the one-way non-branching of the chain is guaranteed.
However, with the development and application of the blockchain technology, the access rights of the system content users are basically not different due to the peer-to-peer relationship between the nodes, and such a fully open accounting system is difficult to meet the application scenario with complex requirements, and effectively protects the data privacy according to the wishes of the users.
In the existing solution, a blockchain is regarded as a distributed system or a cluster similar to a cloud storage, a traditional access control method is introduced to manage access authority, an authorization center is set to filter access requests of users, and only authorized users can obtain results, so that protection of user privacy data is realized. Problems associated with the application of such conventional access control methods to block chaining include:
1) the reliability is reduced: because the additionally arranged authorization center requires the user to access through a uniform interface, the distributed structure is changed into a centralized structure, the single point failure of the authorization center can cause the unavailability of an authorization mechanism, and the reliability of the system is reduced.
2) Insufficient diversification: the open nature of the blockchain increases the uncertainty of the size and identity of the user and conventional access control cannot define sufficient methods to satisfy all possible situations.
3) Lack of extensibility: the authorization center predefines the authorization management of the user, and specifies which data on the blockchain the user can access, and the dynamically changing user in the blockchain will make the method lack expansibility and difficult to adapt to the dynamic change of the user in the system.
4) The management overhead is large: the users in the block chain have large scale, and the users can join and leave dynamically, so that the authorization center needs to establish authority mapping for different users frequently, and the management overhead is increased.
Disclosure of Invention
In order to solve the problems, fully exert the advantages brought by block chain distribution and realize dynamic expansion of access control in the aspects of data privacy protection and user authority management, the invention introduces the concept of attributes and provides a novel access control system based on the block chain by combining an attribute-based access control architecture.
The invention provides an access control method and system based on a block chain, which are used for dynamically managing access authorization of users and solving the problem of equal and undifferentiated user permission in the block chain, thereby meeting the actual requirements under more complex conditions.
The technical scheme of the invention is as follows: an access control method based on block chain technology, the functional modules involved in the method include:
1) block chain module BCM: transactions are stored in a chained data structure, each transaction representing a trigger for a system event, and each block records system events that occur over a period of time.
2) Federation node module UNM: all system members of the block chain module BCM are maintained, the relationship among the members is equivalent, the members can be computer nodes, or certain running programs on a computer, the members are connected with each other to form a peer-to-peer network, and a consistency algorithm is executed to generate the same blocks to be written into a public account book.
3) Policy management module PAM: and managing the policy, accepting the policy made by the owner for issuing, and providing a policy set matched with the attribute related to the access request.
4) An attribute acquisition module AGM: the policy decision unit PDU in the federation node module UNM is provided with a set of attributes associated with the access request.
The block chain module BCM of the block chain-based access control method comprises two transaction types, which are respectively:
1) access record transaction atx: and recording an access request initiated by a user, and extracting three entities, namely a subject, an object and an action, to form the content of the transaction.
2) Object attribute transaction otx: and recording object attributes of the resources issued by the owner, and extracting attribute sets for describing the resources to form the content of the transaction.
The federation node module UNM of the block chain-based access control method includes:
1) chain operation unit COU: directly connected to the blockchain module BCM, write methods are provided for the generation of the blocks, and read methods are provided for the query of the blocks and transaction data.
2) Policy enforcement unit PEU: and the access interface provided for the user responds to the access request of the user.
3) Strategy decision Unit PDU: policies and attributes are collected, and decision results are computed and published for the access record transaction atx.
4) Data storage unit DSU: deployment on portions of federation node module UNM enables access to resources and distribution of indices so that the unit does not have to be owned by every block link node.
The policy execution unit PEU in the federation node module UNM performs operations including:
1) receiving an access request: the user sends an access request to the federation node module UNM, which is received and processed by the policy enforcement unit PEU.
2) And (4) issuing an access record: the entities in the access request are extracted, the data structure thereof is reorganized to form an access record transaction atx, and the access record transaction is sent to the federation node module UNM.
3) Obtaining a judgment result: the read method of the call chain operation unit COU queries whether the access record transaction atx exists in the blockchain module BCM to obtain the determination result of the access request.
4) And executing the request operation: if the chain operation unit COU returns an access record transaction atx, indicating that the determination is successful, the policy enforcement unit PEU requests the data storage unit DSU to enforce the operation in the access request; otherwise, the policy enforcement unit PEU discards the access request and processes the next one.
The policy decision unit PDU in the federation node module UNM, where the decision process includes:
1) receiving an access record: the policy enforcement unit PEU sends the access record transaction atx to the federation node module UNM for receipt and processing by the policy decision unit PDU.
2) Inquiring entity attributes: extracting subject, object and action identifiers in the access record transaction atx, and calling a subject attribute getsub obtaining method of an attribute obtaining module AGM to obtain a subject attribute set of a user; inquiring all object attribute transactions otx related to the resource by using a read method of a call chain operation unit COU, and calculating a current object attribute set of the resource according to a time sequence; the action attribute is directly obtained by the action identification conversion.
3) And (3) an attribute matching strategy: and merging the attribute sets in the last step, sending the attribute sets to a policy management module PAM, and calling a matching policy matched method to obtain a policy set suitable for the current access request.
4) Obtaining environmental conditions: and acquiring the missing environmental conditions in the strategy set by calling an acquisition environmental condition getenv method of an attribute acquisition module AGM when calculating and judging.
5) And calculating a judgment result: and calculating the judgment result of the access request according to the strategy and the attribute. If the judgment is passed, sending the access record transaction atx to a chain operation unit COU, and calling a write method of the COU to record the access record transaction into a block chain module BCM; otherwise, the transaction is discarded.
The data storage unit DSU in the federation node module UNM provides methods and operations comprising:
1) the storage resource put method comprises the following steps: and receiving the resource description and the content submitted by the owner, and if the verification description is matched with the content, indicating that the submission is valid and storing the submission into a resource database.
2) Object attribute chaining: for the newly uploaded resource, the object attribute is extracted, the data structure is organized to form an object attribute transaction otx, and the write method called to the chain operation unit COU is recorded in the blockchain module BCM. And according to the change of the resource in the database, a new transaction is added at the end of the transaction to form a service flow, so that the object attribute of the resource on the chain can be updated immediately.
3) The method for acquiring the resource get comprises the following steps: from the access record transaction atx, the resource identity is extracted and the read method of the chain operator unit COU is invoked to query whether the transaction is present in the blockchain module BCM. If the resource exists, the access authorization is represented, and the resource is taken out and returned; if not, the transaction is discarded and the next transaction is processed.
The policy management module PAM of the access control method based on the block chain comprises the following steps:
1) the method for releasing the strategy publish comprises the following steps: and receiving the access policy description and content submitted by the owner to a policy management module PAM, and if the check policy format is correct, indicating that the policy is valid and storing the policy into a policy database.
2) Matching strategy matching method: the attribute set sent by the policy decision unit PDU in the federate node module UNM is received, the associated policy is matched in the policy database, and the set is formed and returned.
The attribute acquisition module AGM of the access control method based on the block chain comprises the following steps:
1) get subject attribute getsub method: the attribute database stores the relevant information of the registered user, and the data acquisition module AGM extracts all the attributes of the user from the attribute database according to the main body in the access request, forms a set and returns the set to the strategy judgment unit PDU.
2) Getenv method for obtaining environmental conditions: various devices and apparatuses such as a clock, a GPS, a sensor, etc. are connected to the attribute acquisition module AGM, and can acquire the current environmental conditions in real time, and according to the query request initiated by the policy decision unit PDU, the attribute acquisition module AGM will collect these information instantly and form a set to respond to the request.
The resource publishing operation of the access control method based on the block chain comprises the following steps:
1) resource data access: and the data storage unit DSU receives the resource description and the content sent by the owner and stores the resource into the object database.
2) Object attribute chaining: the data storage unit DSU extracts the object attributes according to the description and data submitted by the owner and sends them to the federation node module UNM.
3) And (3) policy issuing: and the policy management module PAM receives a policy file which is made by the owner for uploading the resource and stores the policy file into a policy database.
The access control process of the access control method based on the block chain comprises the following steps:
1) and (4) issuing an access record: the user sends the access request to the policy enforcement unit PEU, which extracts subjects, objects and actions in the access request, organizes the access record transaction atx and sends it to the federation node module UNM.
2) Inquiring entity attributes: the policy decision unit PDU receives and processes the access record transaction atx, extracts the entities in the access record transaction atx, and obtains the attribute sets of the entities involved in the access request to the attribute obtaining module AGM and the chain operation unit COU, respectively.
3) Strategy matching: and the strategy judgment unit PDU sends the attribute set to a strategy applicable to a strategy management module PAM request, the database is searched and matched according to the attribute set, and the strategy management module PAM returns the result to the strategy judgment unit PDU.
4) And calculating a judgment result: and the strategy judgment unit PDU calculates a judgment node by using the collected attributes and the strategy set, and dynamically calls a getenv method of an attribute acquisition module AGM to acquire the current environmental condition. If the decision is passed, then the access record transaction atx is sent to the chain operator unit COU and its write method is invoked; if the determination is not passed, the access record transaction is discarded atx.
5) And executing the request operation: the policy enforcement unit PEU requests access to the resource from the data storage unit DSU, which invokes the read method of the chain operation unit COU to query atx whether the access record transaction exists in the blockchain module BCM. If yes, responding to the request and returning an execution result; if not, the access request is discarded.
The invention has the beneficial effects that: due to the adoption of the technical scheme, the invention has the following characteristics:
in the access control system based on the block chain, the judgment process is bound on all nodes based on the strategy, the access authorization is changed from centralized type to distributed type, the consistency check of the judgment result in the whole network is realized by means of the consensus mechanism of the block chain, and the authorization operation triggered by the access control is permanently recorded on the block chain. Benefits that may be realized by this approach include:
1) resistance to single point failure: the calculation and judgment result of the access request does not depend on a certain authorization center, but is generated by common identification of all nodes in the block chain, and the fault and the attack of a single node can be effectively resisted.
2) The authorization mode is flexible: the policy file is used as a basis for access decision, instead of giving the authorization result by a conventional central controller, and it is simpler to modify the policy to implement the change of authorization.
3) The access boundaries are accurate: the system describes each entity in the system by the concept of attributes, has fine granularity, is suitable for large-scale users and resource systems, and can provide more clear division for access rights.
4) The record can be audited: this is provided by the properties of the blockchain itself, and the authorization record for the user's access request is linked up in a transaction, ensuring that this information is not tampered and can be traced back.
The invention is suitable for enterprises, governments and the like which have data privacy protection requirements and realize the operation environment of the cooperative work of multiple branches based on the block chain platform, can dynamically and extendably manage the access permission of users in the system, realizes the permission management of fine granularity around strategies and attributes, and has important practical significance for protecting the safety of an information system in a distributed network environment.
Drawings
Fig. 1 is a diagram of the relationship between unit modules of an access control system incorporating a blockchain platform.
Fig. 2 is a process diagram for access control for a user request according to a blockchain access control system.
Fig. 3 is a flowchart of a procedure when the access control is executed.
Detailed Description
The technical solution of the present invention is further explained below with reference to specific embodiments.
As shown in fig. 1-3, in the access control method based on the blockchain technology, according to the method, a user sends an access request to a federation node module UNM, the access request is received and processed by a policy execution unit PEU, and the access request is reorganized into a data structure to form an access record transaction atx and sent to a federation node module UNM, and a data storage unit DSU invokes a read method of a chain operation unit COU to query whether the access record transaction atx exists in a blockchain module BCM to obtain a determination result of the access request; if the chain operation unit COU returns an access record transaction atx, indicating that the determination is successful, the policy execution unit PEU requests the data storage unit DSU to execute the operation in the access request; otherwise, the policy enforcement unit PEU discards the access request and processes the next one.
The method comprises the following specific steps:
step 1) the user sends the access request to the federation node module UNM, the policy enforcement unit PEU in the federation node module UNM extracts the entity in the access request and organizes the entity in the access request into an access record transaction atx to send to the federation node module UNM;
step 2) inquiring entity attributes: the strategy judgment unit PDU receives and processes the access record transaction atx, extracts entity attributes in the access record transaction atx, respectively acquires attribute sets of the entities from an attribute acquisition module AGM and a chain operation unit COU, and sends the acquired attribute sets of the entities to the strategy judgment unit PDU;
step 3), strategy matching: the strategy judgment unit PDU sends the received attribute set of the entity to a strategy applicable to a strategy management module PAM request, the strategy management module PAM searches and matches the obtained attribute set of the entity with the storage access strategy in a database, and the strategy management module PAM returns the search and matching result to the strategy judgment unit PDU;
step 4), calculating a judgment result: the strategy judgment unit PDU calculates a judgment result according to the collected attribute set of the entity and the matching result of the strategy set, and dynamically calls a getenv method of an attribute acquisition module AGM to acquire the current environmental condition, if the judgment is passed, the access record transaction atx is sent to a chain operation unit COU and calls a write method thereof; if the determination is not passed, the access record transaction is discarded atx;
step 5) executing request operation: the policy enforcement unit PEU requests the data storage unit DSU to access the resource, the data storage unit DSU calls the read method of the chain operation unit COU to query whether the access record transaction atx exists in the block chain module BCM; if yes, responding to the request and returning an execution result; if not, the access request is discarded.
The access control method further comprises the steps of: resource release step:
1) resource data access: the data storage unit DSU receives the resource description and content sent by the owner and stores the resource into the object database;
2) object attribute chaining: the data storage unit DSU extracts the object attribute according to the description and the resource submitted by the owner, and sends the object attribute to the alliance node module UNM;
3) and (3) policy issuing: and the policy management module PAM receives a policy file which is made by the owner for uploading the resource and stores the policy file into a policy database.
The strategy in the step 3 is formed by any Boolean algebra of a plurality of rules, and each rule is formed by any Boolean algebra of a plurality of predicates.
The entities include subjects, objects, actions, and environments.
The entity organization access record transaction atx comprises the following specific steps: verifying the identity validity of a user u by using an identity authentication technology and obtaining an identity identifier sid of the user, converting a resource r into a uniform resource identifier uri, converting an operation o into an action identifier act, adding a default validity period exp set by a system, and finally attaching a public key PKn of a node kkPackaged into transaction format as follows:
atx={sid,uri,act,exp,PKnk,sig},
the requester initiates an access request to a node k in the blockchain, so that the node k completes the conversion of the entity and the encapsulation of the transaction data format, signs the transaction and diffuses the transaction data into the network to be recorded into a block, and the signature of the node k is calculated as follows:
sig=Sign(SKnk,sid||uri||act||exp||PKnk)。
the access control system of the access control method based on the block chain technology comprises the following steps: an alliance node module UNM, a block chain module BCM, a slightly managed module PAM and an attribute acquisition module AGM;
wherein the block chain module BCM: for storing transactions in a chained data structure, each transaction representing a trigger for a system event, each block recording system events occurring over a period of time;
the federation node module UNM is configured to maintain all system members in the blockchain module BCM, where the relationship between the system members is peer-to-peer, that is, a node set;
the policy management module PAM: the system is used for realizing the management of the strategy, accepting the strategy made by the owner for issuing, and providing a strategy set matched with the attribute related to the access request;
the attribute acquisition module AGM: for providing the set of attributes associated with the access request to the policy decision unit PDU in the federation node module UNM.
The federation node module UNM includes a chain operation unit COU, a policy enforcement unit PEU, a policy decision unit PDU and a data storage unit DSU;
wherein the chain operating unit COU: directly connecting to a blockchain module BCM, providing a write method for the generation of the blocks and a read method for the query of the blocks and the transaction data;
the policy enforcement unit PEU: the system is used for executing the operation requested by the subject on the object according to the judgment result of the strategy, and directly interacting with the subject, processing and responding to the request;
the policy decision unit PDU: the system is used for calculating a judgment result according to the collected strategy and attribute access requests to the main body;
the data storage unit DSU: and the module for providing the object access service is deployed on the blockchain node, is connected with the object database to persist the data of the object, and issues the related attributes of the object to the blockchain.
The data storage unit DSU is arranged on at least one node.
In this embodiment, the execution unit and the determination unit are two functional modules of a blockchain node, and the execution unit performs identity authentication on a user and issues an access record to a blockchain to complete access authorization; the judging unit checks the validity of the access request under the current strategy and attribute conditions as a precondition for the access record to be written into the block. In addition, the data storage unit is deployed on one node of the block chain to issue the object attribute, and the data storage unit also comprises the two functions.
In the embodiment, the source authentication of the message is realized by the digital signature of the sender, including the verification of transaction data between units and block chain nodes, and s = Sign (sk, m) represents the signature of the private key sk on the message m, wherein m = m1||m2||…||mnAnd | represents concatenation of multiple messages.
In this embodiment, the blockchain is a transaction data chain with one-way increment, and all nodes maintaining the public ledger receive transaction data in the network and provide query service for blocky and transaction data:
1) sending a transaction: the function sendTx (tx) is used for representing tx, which is the transmitted transaction content, and the tx is broadcasted to the whole network by using the peer-to-peer network and is written into the block after passing the verification;
2) acquiring a block: expressed by the function blk = gainBlk (bid), bid is the hash pointer of the block, and the return value blk is block data having a specific format;
3) acquiring a transaction: denoted by the function tx = gainTx (tid), tid is the hash pointer of the transaction, and the return value tx is the transaction content contained in a certain block.
In this embodiment, the attribute is represented by a key value pair attr = name: value, name is an attribute name, value is a corresponding attribute value, and the attribute set is represented by { attr }. The hash value calculation is denoted as h = hash (m), m being an arbitrary character string.
To describe this embodiment more clearly, we provide the parameter and function definitions related to each unit module in the block chain-based access control method and system:
1) a data storage unit: running on a block-making node in a blockchain network, a storage service providing object data is represented as put (k, v) and an access service is represented as v = get (k), v is the content of an object, and k is a unique identifier for acquiring the object. And a pair of public and private keys held by the unit are (PKs, SKs) and used for signing and authenticating data when the object attribute is issued.
2) A policy management module: managing policies as a basis for decision, a publishing service for connecting the policy database to provide the policies is denoted as publish (po) and a matching service is denoted as pol = matched (atl), po is a single policy, pol is a set of policies, and atl is a set of attributes. Let a pair of public and private keys held by the unit be (PKp, SKp) and be used for signing and authenticating data in response to the policy matching result.
3) An attribute acquisition module: receiving an entity attribute request of a judging unit, wherein in the aspect of obtaining the environmental condition, a function eva = getenv (eid) represents a universal interface of the detection device, wherein eid is the name of the environmental condition, and eva is a returned dynamic attribute value; in obtaining the attributes of the body, function sva = getsub (sid) represents getting the attributes of the specified body from the attribute database, where sid is the user's identity and sva is the queried set of attributes of the body of the user. Let a pair of public and private keys held by a unit be (PKa, SKa).
4) A chain operating unit: other units in the federation node rely on the unit for data operations on the blockchain with the key pair held by the unit being (PKn)i,SKni) Where i =1, 2.. multidot.m, m is the size of the node in the blockchain network.
In this embodiment, the predicate is a binary relation of attributes, and is expressed as a function F (x, y), where x and y refer to attribute variables or attribute values, respectively, and F is a method for performing predicate decision on two attributes, and can be converted into xFy single-layer binary tree form, and their root F represents the result of the predicate decision.
The rule is formed by any Boolean algebra of a plurality of predicates, and the judgment result can be expressed as the root of a predicate multi-way tree. The judgment result of the rule is represented by R, the combination mode is V, and the rule format is as follows:
R={F1,F2,...,Fn,V},
the policy is formed by an arbitrary boolean algebra of a plurality of rules, the decision result of which can be represented as the root of a rule multi-way tree. The judgment result of the strategy is represented by P, the combination mode is W, and the strategy format is as follows:
P={R1,R2,...,Rn,W},
with the above definitions and descriptions, the specific embodiment of the block chain-based access control method and system according to the present invention is introduced, which is mainly implemented by two parts, resource publishing and access control, where resource publishing is pre-operation and is triggered by an owner, and then a specific access control process is triggered by a user.
Resource publishing
The owner uploads the resource to the data storage unit, and makes a corresponding strategy and submits the strategy to the strategy management module, wherein the process comprises three steps of resource data access, object attribute chaining and strategy release:
1. resource data access
The owner fills in the form, submits the description of the resource, including name, type, size and owner, to the data storage unit, and uploads the resource data, expressed as:
obj={title,type,owner,size,data},
the data storage unit verification process is as follows:
1) whether the resource name title complies with the naming requirements of the system;
2) describing whether the type is consistent with the resource format;
3) whether the resource owner is the same as the currently submitted user;
4) and whether the resource size and the length of the uploaded data are consistent or not.
If the object passes the verification, the data storage unit allocates a uniform resource identifier uri to the object, and calls a storage service put (uri, obj) to persist the resource in the object database.
When a certain resource needs to be read or modified, the data storage unit calls the object database function obj = get (uri) to obtain resource data according to the uniform resource identifier uri. Extracting the field content and correspondingly modifying to change the original object into obj ', the data storage unit also performs the check process on the new object, if the new object passes through the check process, the put (uri, obj') is called to enable the modification to be effective,
2. object attribute chaining
The data storage unit externally issues resources stored in the object database, issues object attributes of the resources to the block chain in a transaction form, and updates the object attributes corresponding to the resources by adding new transactions to form a service flow for the resources. Each service flow records the change of the object attribute related to a certain resource, and the data format of the object attribute recorded in the block chain is defined as follows:
otx={oid,op,in,out,sig},
oid is a hash pointer pointing to the last object attribute transaction in the transaction chain; the op is an operation type with a value of set or del, the set is marked as setting object attributes, and the del is marked as deleting object attributes; in is a set of attributes, expressed as add object attributes; out is also a collection of attributes, denoted as the deletion of certain object attributes; sig is the signature on the transaction data, calculated as follows:
sig=Sign(SKs,oid||op||in||out),
the data storage unit updates the attribute of the resource issued on the blockchain to form an object attribute chain aiming at the resource, the change of the object attribute completes the record on the blockchain through the transaction with the hash pointer, and the life cycle of the chain is from the addition of the resource, multiple modifications to the deletion. The resource generating an object attribute chain comprises the following three operations:
1) adding a resource, and extracting object attribute set as n by the data storage unit1:v1,n2:v2,n3:v3Assign a new uniform resource identifier uri, let hash pointer oid1= uri, operation type op1= set, add attribute set in1={n1:v1,n2:v2,n3:v3}, delete attribute set out1= { }, compute the signature value:
sig1=Sign(SKs,oid1||op1||in1||out1),
call sendTx (otx)1) To publish the resource. Wherein, otx1={oid1,op1,in1,out1,sig1}。
2) Modify the resource attribute, let n2=v4And delete attribute n3The data storage unit has the hash pointer as the hash value oid of the previous transaction2=hash(otx1) Operation type op2= set, add attribute set in2={n2:v4}, delete attribute set out2={n2:v2,n3:v3Compute the signature value:
sig2=Sign(SKs,oid2||op2||in2||out2),
call sendTx (otx)2) To update the resource attributes. Wherein,otx2={oid2,op2,in2,out2,sig2}。
3) the object database deletes the resource and the data storage unit invalidates the object attribute in the blockchain accordingly, making the hash pointer the hash value oid of the previous transaction3=hash(otx2) Operation type op3= del, add attribute set in3= { }, delete attribute set out3= { }, compute the signature value:
sig3=Sign(SKs,oid3||op3||in3||out3),
call sendTx (otx)3) To invalidate the resource. Wherein, otx3={oid3,op3,in3,out3,sig3},
3. Policy publishing
The owner fills in the form, submits the access policy to the resource to the policy management unit, including policy identification, matching target, policy content and owner, expressed as:
po={pid,target,policy,owner},
wherein, pid only identifies a strategy, and the verification process of the strategy management unit is as follows:
1) whether the pid conflicts with the existing strategy in the strategy database is identified by the strategy;
2) whether the format of the matched target is the attribute set of the three entities or not is judged;
3) whether the policy content policy meets the defined format and can be converted into a multi-way tree;
4) whether the resource owner is the same as the currently submitted user.
If the strategy passes the verification, the strategy management unit calls publish (po) to store the strategy into the database, and a reverse lookup table is constructed by utilizing the attribute set of the matching target for quick strategy retrieval.
Second, access control
The user sends an access request to the alliance node, and the access control judgment and execution of the trigger system are carried out, wherein the process comprises five steps of issuing an access record, inquiring entity attributes, matching strategies, acquiring environmental conditions, calculating a judgment result and executing the request operation:
1. publishing access records
The user-initiated access request is composed of entities (u, r, o), u being the user initiating the request, r being the resource being accessed, and o being the operation requested to be performed.
The strategy execution unit opens an interface to the outside, receives an access request expressed by an entity from a requester, verifies the validity of the identity of a user u by using an identity authentication technology and obtains an identity sid of the user, converts a resource r into a uniform resource identifier uri, converts an operation o into an action identifier act, adds a default validity period exp set by a system, and finally attaches a public key PKn of a node kkPackaged into transaction format as follows:
atx={sid,uri,act,exp,PKnk,sig},
the requester initiates an access request to a node k in the blockchain, so that the node k completes the conversion of the entity and the encapsulation of the transaction data format, signs the transaction and diffuses the transaction data into the network to be recorded into a block, and the signature of the node k is calculated as follows:
sig=Sign(SKnk,sid||uri||act||exp||PKnk),
2. querying entity attributes
The strategy judgment unit receives the access record transaction, and inquires about subject, object and action attributes corresponding to the entity in the access request, which are respectively:
1) the main body attribute is as follows: according to the identity sid of the user, the corresponding main attribute set sva of the user is obtained by calling the function interface sva = getsub (sid) provided by the attribute obtaining module.
2) Object attribute: according to the uniform resource identifier uri, a read method of a chain operation unit is called to obtain a service flow corresponding to the resource, and an object attribute set of the resource is calculated through traversal, for example:
there is a chain of transactions associated with a resource, currently comprising three transactions:
otx1={uri,set,{n1:v1,n2:v2,n3:v3},{},sig1},
otx2={hash(otx1),set,{n2:v4},{n2:v2},sig2},
otx3={hash(otx2),set,{},{n3:v3},sig3},
the three transactions can form a service flow in sequence according to the hash pointers of the three transactions, when the transaction otx is read1Then, the format of the hash pointer is uniform resource identifier uri, which indicates that a new resource is added, and the set S = { }. The object attribute set calculation process of the resource is as follows:
therefore, the latest object attribute set S of a resource of the current blockchain can be extracted. When the operation type is read as delete, it indicates that the resource has been deleted and does not contain object attribute.
3) And (4) action attribute: according to the action identifier act, directly converting it into an action attribute set ava,
3. policy matching
The strategy management module receives the attribute set sent by the strategy judgment unit, matches the strategy related to the attribute set in the strategy database, forms a strategy set and returns the signature to the judgment unit. For example, there is a policy P that contains two rules:
R1: the physician can read and write the case,
R2: the patient can only view the case of a patient,
combination mode of two rules in strategy P. In the policy P, the attribute of the role of the subject is doctor or patient, the attribute of the action identifier is read or written, and the attribute of the object type is case. Therefore, the multi-way tree formed by the policy P consists of the following five predicates:
F1: role = doctor, F2: the subject, role = patient,
F3: action. identity = read, F4: the action, identify = write,
F5: type = case,
therefore, the combination modes corresponding to the two rules are respectively as follows:
,
in summary, policy P = { R = { (R)1,R2W, wherein R1={F1,F3,F4,F5,V1},R2={F2,F3,F5,V2}。
The matching target T classifies the five predicates according to entities to form a key word of the strategy, wherein F1And F2Contained in the subject set S = { F = { (F) }1,F2In (F), F3And F4Is included in the action set A = { F =3,F4In (F), F5Is contained in guestVolume set O = { F5In (c) }. The matching target can therefore be represented as T = { S, O, a }.
The attribute set of the access request sent by the policy decision unit, for example, the doctor's case to be written, is a set att = { F) containing three attributes1,F4,F5}. The pol = matched (att) function that calls the policy management module matches the set of policies in the target where both the guest and the action contain attributes within the set, and the current policy P is matched, so there is a function return value pol = { P }.
Finally, the policy management module will return the result of this policy matching, ret = { pol, sig }, where the included signature is calculated as sig = Sign (SKp, pol),
4. calculating the determination result
The strategy judgment unit listens to access record transaction in the block chain network, adds the transaction into a judgment queue for processing, and gathers entity attributes for access record into a setSending a matching request to a policy management module, calling a function pol = matched (att) to acquire a policy set pol applicable to the access record, iteratively calculating a judgment result of the policy and attribute set att in the policy set pol, wherein an environmental condition in the calculation process is dynamically acquired in real time through a function interface eva = getenv (eid) provided by a calling attribute acquisition module, and eva is an attribute set corresponding to a specified environmental condition.
Obtaining a final judgment result aiming at the access record according to a strategy merging algorithm preset by the system, if the judgment result is that the access record passes and the signature of the transaction is correctly calculated, based on a consensus algorithm of a block chain, a chain operation unit finally writes the access record into a block, namely the access record is authorized,
5. performing a requested operation
The policy enforcement unit calculates the hash value aid = hash (atx) of the access record transaction, and sends aid to the data storage unit to request an operation on the resource. The data store calls the transaction data acquisition function atx = gainTx (aid) provided by the blockchain to get to the access record atx.
The data storage unit verifies the access record as follows:
1) extracting a signature sig, and verifying whether a signature source is consistent with a current request node;
2) and extracting the validity period exp and checking whether the current time is within the validity period.
If the process passes the verification, the data storage unit extracts the uniform resource identifier uri, calls the function obj = get (uri) to acquire the object data obj, executes act operation on the data, and returns the result to the policy execution unit to complete the access request.

Claims (8)

1. An access control method based on a block chain technology is characterized in that a user sends an access request to an alliance node module UNM, a policy execution unit PEU receives and processes the access request, a data structure of the access request is reorganized to form an access record transaction atx, the access record transaction is sent to a policy decision unit PDU, and a data storage unit DSU calls a read method of a chain operation unit COU to inquire whether the access record transaction atx exists in a block chain module BCM or not so as to obtain a decision result of the access request; if the chain operation unit COU returns an access record transaction atx, indicating that the determination is successful, the policy execution unit PEU requests the data storage unit DSU to execute the operation in the access request; otherwise, the policy enforcement unit PEU discards the access request.
2. The access control method according to claim 1, characterized in that the method comprises the following steps:
step 1) the user sends the access request to the federation node module UNM, the policy enforcement unit PEU in the federation node module UNM extracts the entity in the access request, organizes the entity in the access request into an access record transaction atx and sends the access record transaction to the policy decision unit PDU;
step 2) inquiring entity attributes: the strategy judgment unit PDU receives and processes the access record transaction atx, extracts the entities in the access record transaction atx, respectively acquires the attribute sets of the entities from the attribute acquisition module AGM and the chain operation unit COU, and sends the acquired attribute sets of the entities to the strategy judgment unit PDU;
step 3), strategy matching: the strategy judgment unit PDU sends the received attribute set of the entity to a strategy applicable to a strategy management module PAM request, the strategy management module PAM searches and matches the obtained attribute set of the entity with the access strategy stored in a strategy database, and the strategy management module PAM returns the search and matching result to the strategy judgment unit PDU;
step 4), calculating a judgment result: the strategy judgment unit PDU calculates a judgment result according to the collected matching result of the entity attribute set and the strategy set, and dynamically calls a getenv method of an attribute acquisition module AGM to acquire the current environmental condition, if the judgment is passed, the access record transaction atx is sent to a chain operation unit COU and calls a write method thereof; if the determination is not passed, the access record transaction is discarded atx;
step 5) executing request operation: the policy enforcement unit PEU requests the data storage unit DSU to access the resource, the data storage unit DSU calls the read method of the chain operation unit COU to query whether the access record transaction atx exists in the block chain module BCM; if yes, responding to the request and returning an execution result; if not, the access request is discarded.
3. The access control method according to claim 2, characterized in that the access control method further comprises the steps of: resource release step:
1) resource data access: the data storage unit DSU receives the resource description and content sent by the owner and stores the resource into the object database;
2) object attribute chaining: the data storage unit DSU extracts the object attribute according to the description and the resource submitted by the owner, and sends the object attribute to the alliance node module UNM;
3) and (3) policy issuing: and the policy management module PAM receives a policy file which is made by the owner for uploading the resource and stores the policy file into a policy database.
4. The access control method according to claim 2, wherein the policy in step 3 is formed by an arbitrary boolean algebraic combination of a plurality of rules, each of the rules being formed by an arbitrary boolean algebraic combination of a plurality of predicates.
5. The access control method of claim 2, wherein the organization of the entity into the access record transaction atx comprises the steps of: verifying the identity validity of a user u by using an identity authentication technology and obtaining an identity identifier sid of the user, converting a resource r into a uniform resource identifier uri, converting an operation o into an action identifier act, adding a default validity period exp set by a system, and finally attaching a public key PKn of a node kkPackaged into transaction format as follows:
atx={sid,uri,act,exp,PKnk,sig},
the requester initiates an access request to a node k in the blockchain, so that the node k completes the conversion of the entity and the encapsulation of the transaction data format, signs the transaction and diffuses the transaction data into the network to be recorded into a block, and the signature of the node k is calculated as follows:
sig=Sign(SKnk,sid||uri||act||exp||PKnk)。
6. an access control system according to the access control method of any one of claims 1 to 5, characterized in that the system comprises: an alliance node module UNM, a block chain module BCM, a slightly managed module PAM and an attribute acquisition module AGM;
wherein the block chain module BCM: for storing transactions in a chained data structure, each transaction representing a trigger for a system event, each block recording system events occurring over a period of time;
the federation node module UNM is configured to maintain all system members in the blockchain module BCM, where the relationship between the system members is peer-to-peer, that is, a node set;
the policy management module PAM: the system is used for realizing the management of the strategy, accepting the strategy made by the owner for issuing, and providing a strategy set matched with the attribute related to the access request;
the attribute acquisition module AGM: for providing the set of attributes associated with the access request to the policy decision unit PDU in the federation node module UNM.
7. The access control system of claim 6 wherein the federation node module UNM includes a chain operation unit COU, a policy enforcement unit PEU, a policy decision unit PDU, and a data storage unit DSU;
wherein the chain operating unit COU: directly connecting to a blockchain module BCM, providing a write method for the generation of the blocks and a read method for the query of the blocks and the transaction data;
the policy enforcement unit PEU: the system is used for executing the operation requested by the subject on the object according to the judgment result of the strategy, and directly interacting with the subject, processing and responding to the request;
the policy decision unit PDU: the system is used for calculating a judgment result according to the collected strategy and attribute access requests to the main body;
the data storage unit DSU: and the module for providing the object access service is deployed on the blockchain node, is connected with the object database to persist the data of the object, and issues the related attributes of the object to the blockchain.
8. The access control system according to claim 6, characterized in that the data storage unit DSU is arranged on at least one node.
CN201711326186.XA 2017-12-13 2017-12-13 Access control method and system based on block chain technology Expired - Fee Related CN108123936B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711326186.XA CN108123936B (en) 2017-12-13 2017-12-13 Access control method and system based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711326186.XA CN108123936B (en) 2017-12-13 2017-12-13 Access control method and system based on block chain technology

Publications (2)

Publication Number Publication Date
CN108123936A true CN108123936A (en) 2018-06-05
CN108123936B CN108123936B (en) 2021-04-13

Family

ID=62229072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711326186.XA Expired - Fee Related CN108123936B (en) 2017-12-13 2017-12-13 Access control method and system based on block chain technology

Country Status (1)

Country Link
CN (1) CN108123936B (en)

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833081A (en) * 2018-06-22 2018-11-16 中国人民解放军国防科技大学 Block chain-based equipment networking authentication method
CN109034833A (en) * 2018-06-16 2018-12-18 复旦大学 A kind of product back-tracing information management system and method based on block chain
CN109040271A (en) * 2018-08-15 2018-12-18 深圳市引方科技有限公司 A kind of network equipment completeness protection method under distributed environment
CN109064328A (en) * 2018-07-09 2018-12-21 夸克链科技(深圳)有限公司 A kind of construction and its common recognition algorithm of novel block chain
CN109088857A (en) * 2018-07-12 2018-12-25 中国电子科技集团公司第十五研究所 A kind of distributed authorization management method under scenes of internet of things
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN109145640A (en) * 2018-08-01 2019-01-04 长沙拓扑陆川新材料科技有限公司 A kind of method and apparatus for safeguarding block chain data safety
CN109150549A (en) * 2018-10-26 2019-01-04 北京中宇万通科技股份有限公司 A method of based on domestic cryptographic algorithms' implementation block chain cryptosecurity service
CN109194485A (en) * 2018-08-21 2019-01-11 甲骨文科技时代(深圳)有限公司 A kind of network-building method of multi-type network node
CN109246206A (en) * 2018-08-28 2019-01-18 瑞典爱立信有限公司 Generate and record the method and network of information
CN109274728A (en) * 2018-09-03 2019-01-25 北京飞纳泰科信息技术有限公司 Block chain Data lifecycle management method
CN109327314A (en) * 2018-11-08 2019-02-12 阿里巴巴集团控股有限公司 Access method, device, electronic equipment and the system of business datum
CN109327312A (en) * 2018-10-26 2019-02-12 阿里巴巴集团控股有限公司 Authentication method and device, electronic equipment
CN109324757A (en) * 2018-08-22 2019-02-12 深圳前海微众银行股份有限公司 Block chain data capacity reduction method, device and storage medium
CN109462570A (en) * 2018-09-03 2019-03-12 众安信息技术服务有限公司 The computing system across cloud platform based on block chain and the calculation method using it
CN109495490A (en) * 2018-12-04 2019-03-19 中国电子科技集团公司第三十研究所 A kind of unified identity authentication method based on block chain
CN109543725A (en) * 2018-11-06 2019-03-29 联动优势科技有限公司 A kind of method and device obtaining model parameter
CN109743198A (en) * 2018-12-25 2019-05-10 中链科技有限公司 Intelligent block network establishing method and system
CN109766727A (en) * 2018-12-25 2019-05-17 中链科技有限公司 Intelligent block network establishing method and system
CN109872238A (en) * 2019-02-26 2019-06-11 重庆大数美联科技有限公司 Transaction in assets system access control method and system based on block chain
CN109889508A (en) * 2019-01-25 2019-06-14 北京融链科技有限公司 A kind of right management method and device
CN109936626A (en) * 2019-02-19 2019-06-25 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN109981637A (en) * 2019-03-21 2019-07-05 浙江工商大学 A kind of compound authentication method of Internet of Things multi-source intersection based on block chain
CN110008735A (en) * 2019-01-31 2019-07-12 阿里巴巴集团控股有限公司 The method and node, storage medium that contract calls are realized in block chain
CN110020549A (en) * 2019-02-19 2019-07-16 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110032885A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110232080A (en) * 2019-05-23 2019-09-13 智慧谷(厦门)物联科技有限公司 A kind of method for quickly retrieving based on block chain
CN110352445A (en) * 2018-11-27 2019-10-18 阿里巴巴集团控股有限公司 Multi transaction is executed using intelligent contract
CN110493347A (en) * 2019-08-26 2019-11-22 重庆邮电大学 Data access control method and system in large-scale cloud storage based on block chain
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology
CN110691062A (en) * 2018-07-06 2020-01-14 浙江大学 Data writing method, device and equipment
CN110855637A (en) * 2019-10-28 2020-02-28 西北工业大学 Block chain Internet of things distributed access control method based on attributes
CN111612388A (en) * 2019-02-26 2020-09-01 北京京东尚科信息技术有限公司 Method and device for merging target orders
CN111815832A (en) * 2020-07-22 2020-10-23 南京航空航天大学 Intelligent door lock access control method based on attributes
CN111859411A (en) * 2019-04-25 2020-10-30 国际商业机器公司 Method and system for access authorization of multi-subject device
CN111881472A (en) * 2020-07-22 2020-11-03 云账户技术(天津)有限公司 Data access control method, system, authority management system and medium
CN112187800A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Attribute-based access control method with anonymous access capability
CN112673600A (en) * 2018-09-03 2021-04-16 爱森卡斯特株式会社 Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
CN112822159A (en) * 2020-12-28 2021-05-18 杭州趣链科技有限公司 Permission control method and device for block chain account, electronic equipment and storage medium
CN113065153A (en) * 2021-03-08 2021-07-02 北京大数据先进技术研究院 Digital object resource control and authorization method, device, equipment and storage medium
CN113344705A (en) * 2021-06-21 2021-09-03 上海计算机软件技术开发中心 Data sharing method and system based on block chain
CN113614725A (en) * 2019-03-15 2021-11-05 微软技术许可有限责任公司 User selection in data location and policy compliance
WO2021224696A1 (en) * 2020-05-05 2021-11-11 International Business Machines Corporation Low trust privileged access management
CN114726639A (en) * 2022-04-24 2022-07-08 国网河南省电力公司信息通信公司 Automatic arrangement method and system for access control strategy
CN114780980A (en) * 2021-06-15 2022-07-22 北京大数据先进技术研究院 Digital object operation evidence storing and tracing management method, device, equipment and medium
CN115987696A (en) * 2023-03-21 2023-04-18 深圳市永达电子信息股份有限公司 Block chain structure-based zero-trust security gateway implementation method and device
CN116112274A (en) * 2019-04-05 2023-05-12 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106503994A (en) * 2016-11-02 2017-03-15 西安电子科技大学 Block chain private data access control method based on encryption attribute
WO2017054985A1 (en) * 2015-09-30 2017-04-06 British Telecommunications Public Limited Company Access control
CN107070938A (en) * 2017-04-27 2017-08-18 电子科技大学 Data access control system based on block chain
CN107103252A (en) * 2017-04-27 2017-08-29 电子科技大学 Data access control method based on block chain
CN107222478A (en) * 2017-05-27 2017-09-29 暨南大学 Software defined network key-course security mechanism construction method based on block chain
CN107332847A (en) * 2017-07-05 2017-11-07 武汉凤链科技有限公司 A kind of access control method and system based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017054985A1 (en) * 2015-09-30 2017-04-06 British Telecommunications Public Limited Company Access control
CN106503994A (en) * 2016-11-02 2017-03-15 西安电子科技大学 Block chain private data access control method based on encryption attribute
CN107070938A (en) * 2017-04-27 2017-08-18 电子科技大学 Data access control system based on block chain
CN107103252A (en) * 2017-04-27 2017-08-29 电子科技大学 Data access control method based on block chain
CN107222478A (en) * 2017-05-27 2017-09-29 暨南大学 Software defined network key-course security mechanism construction method based on block chain
CN107332847A (en) * 2017-07-05 2017-11-07 武汉凤链科技有限公司 A kind of access control method and system based on block chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
朱岩等: "区块链关键技术中的安全性研究 ", 《信息安全研究》 *
朱岩等: "区块链关键技术中的安全性研究", 《信息安全研究》 *
梅颖: "基于区块链的物联网访问控制简化模型构建 ", 《中国传媒大学学报(自然科学版)》 *
梅颖: "基于区块链的物联网访问控制简化模型构建", 《中国传媒大学学报(自然科学版)》 *

Cited By (71)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109034833A (en) * 2018-06-16 2018-12-18 复旦大学 A kind of product back-tracing information management system and method based on block chain
CN109034833B (en) * 2018-06-16 2021-07-23 复旦大学 Product tracing information management system and method based on block chain
CN108833081B (en) * 2018-06-22 2021-01-05 中国人民解放军国防科技大学 Block chain-based equipment networking authentication method
CN108833081A (en) * 2018-06-22 2018-11-16 中国人民解放军国防科技大学 Block chain-based equipment networking authentication method
CN110691062B (en) * 2018-07-06 2021-01-26 浙江大学 Data writing method, device and equipment
CN110691062A (en) * 2018-07-06 2020-01-14 浙江大学 Data writing method, device and equipment
CN109064328A (en) * 2018-07-09 2018-12-21 夸克链科技(深圳)有限公司 A kind of construction and its common recognition algorithm of novel block chain
CN109064328B (en) * 2018-07-09 2022-04-15 夸克链科技(深圳)有限公司 Consensus method of block chains
CN109088857A (en) * 2018-07-12 2018-12-25 中国电子科技集团公司第十五研究所 A kind of distributed authorization management method under scenes of internet of things
CN109088857B (en) * 2018-07-12 2020-12-25 中国电子科技集团公司第十五研究所 Distributed authorization management method in scene of Internet of things
CN109145640A (en) * 2018-08-01 2019-01-04 长沙拓扑陆川新材料科技有限公司 A kind of method and apparatus for safeguarding block chain data safety
CN109117668A (en) * 2018-08-10 2019-01-01 广东工业大学 A kind of identification authorization safety access method based on block chain building
CN109040271B (en) * 2018-08-15 2020-12-29 深圳市引方科技有限公司 Network equipment integrity protection method under distributed environment
CN109040271A (en) * 2018-08-15 2018-12-18 深圳市引方科技有限公司 A kind of network equipment completeness protection method under distributed environment
CN109194485A (en) * 2018-08-21 2019-01-11 甲骨文科技时代(深圳)有限公司 A kind of network-building method of multi-type network node
CN109324757A (en) * 2018-08-22 2019-02-12 深圳前海微众银行股份有限公司 Block chain data capacity reduction method, device and storage medium
CN109324757B (en) * 2018-08-22 2021-05-21 深圳前海微众银行股份有限公司 Block chain data capacity reduction method and device and storage medium
CN109246206A (en) * 2018-08-28 2019-01-18 瑞典爱立信有限公司 Generate and record the method and network of information
CN109462570A (en) * 2018-09-03 2019-03-12 众安信息技术服务有限公司 The computing system across cloud platform based on block chain and the calculation method using it
CN112673600B (en) * 2018-09-03 2023-10-03 爱森卡斯特株式会社 Multiple security authentication system and method between mobile phone terminal and internet of things (IoT) device based on blockchain
CN112673600A (en) * 2018-09-03 2021-04-16 爱森卡斯特株式会社 Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
CN109274728A (en) * 2018-09-03 2019-01-25 北京飞纳泰科信息技术有限公司 Block chain Data lifecycle management method
CN109327312A (en) * 2018-10-26 2019-02-12 阿里巴巴集团控股有限公司 Authentication method and device, electronic equipment
CN109150549A (en) * 2018-10-26 2019-01-04 北京中宇万通科技股份有限公司 A method of based on domestic cryptographic algorithms' implementation block chain cryptosecurity service
CN109543725A (en) * 2018-11-06 2019-03-29 联动优势科技有限公司 A kind of method and device obtaining model parameter
CN109327314B (en) * 2018-11-08 2021-07-13 创新先进技术有限公司 Service data access method, device, electronic equipment and system
CN109327314A (en) * 2018-11-08 2019-02-12 阿里巴巴集团控股有限公司 Access method, device, electronic equipment and the system of business datum
CN110352445B (en) * 2018-11-27 2023-08-22 创新先进技术有限公司 Performing multiparty transactions using smart contracts
CN110352445A (en) * 2018-11-27 2019-10-18 阿里巴巴集团控股有限公司 Multi transaction is executed using intelligent contract
CN109495490A (en) * 2018-12-04 2019-03-19 中国电子科技集团公司第三十研究所 A kind of unified identity authentication method based on block chain
CN109495490B (en) * 2018-12-04 2021-04-09 中国电子科技集团公司第三十研究所 Block chain-based unified identity authentication method
CN109743198A (en) * 2018-12-25 2019-05-10 中链科技有限公司 Intelligent block network establishing method and system
CN109766727B (en) * 2018-12-25 2021-04-06 苏州朗润创新知识产权运营有限公司 Intelligent block network construction method and system
CN109766727A (en) * 2018-12-25 2019-05-17 中链科技有限公司 Intelligent block network establishing method and system
CN109889508A (en) * 2019-01-25 2019-06-14 北京融链科技有限公司 A kind of right management method and device
CN110008735A (en) * 2019-01-31 2019-07-12 阿里巴巴集团控股有限公司 The method and node, storage medium that contract calls are realized in block chain
CN110020549B (en) * 2019-02-19 2020-04-07 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain
CN111651787A (en) * 2019-02-19 2020-09-11 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain
CN109936626A (en) * 2019-02-19 2019-06-25 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN109936626B (en) * 2019-02-19 2020-05-29 阿里巴巴集团控股有限公司 Method, node and storage medium for implementing privacy protection in block chain
CN110032885A (en) * 2019-02-19 2019-07-19 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN110020549A (en) * 2019-02-19 2019-07-16 阿里巴巴集团控股有限公司 Method, node and the storage medium of secret protection are realized in block chain
CN109872238A (en) * 2019-02-26 2019-06-11 重庆大数美联科技有限公司 Transaction in assets system access control method and system based on block chain
CN111612388A (en) * 2019-02-26 2020-09-01 北京京东尚科信息技术有限公司 Method and device for merging target orders
CN113614725A (en) * 2019-03-15 2021-11-05 微软技术许可有限责任公司 User selection in data location and policy compliance
CN109981637A (en) * 2019-03-21 2019-07-05 浙江工商大学 A kind of compound authentication method of Internet of Things multi-source intersection based on block chain
CN116112274A (en) * 2019-04-05 2023-05-12 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment
CN116112274B (en) * 2019-04-05 2023-11-24 思百得奥克公司 Blockchain, management group rights and integration of access in an enterprise environment
CN111859411A (en) * 2019-04-25 2020-10-30 国际商业机器公司 Method and system for access authorization of multi-subject device
CN111859411B (en) * 2019-04-25 2024-04-26 国际商业机器公司 Method and system for blockchains in a blockchain network
CN110232080A (en) * 2019-05-23 2019-09-13 智慧谷(厦门)物联科技有限公司 A kind of method for quickly retrieving based on block chain
CN110493347A (en) * 2019-08-26 2019-11-22 重庆邮电大学 Data access control method and system in large-scale cloud storage based on block chain
CN110493347B (en) * 2019-08-26 2020-07-14 重庆邮电大学 Block chain-based data access control method and system in large-scale cloud storage
CN110519066A (en) * 2019-09-29 2019-11-29 广东电网有限责任公司 A kind of Internet of Things secret protection access control method based on block chain technology
CN110855637A (en) * 2019-10-28 2020-02-28 西北工业大学 Block chain Internet of things distributed access control method based on attributes
GB2610144A (en) * 2020-05-05 2023-02-22 Ibm Low trust privileged access management
WO2021224696A1 (en) * 2020-05-05 2021-11-11 International Business Machines Corporation Low trust privileged access management
CN111881472A (en) * 2020-07-22 2020-11-03 云账户技术(天津)有限公司 Data access control method, system, authority management system and medium
CN111881472B (en) * 2020-07-22 2024-04-26 云账户技术(天津)有限公司 Data access control method, system, authority management system and medium
CN111815832A (en) * 2020-07-22 2020-10-23 南京航空航天大学 Intelligent door lock access control method based on attributes
CN112187800B (en) * 2020-09-29 2021-07-27 西安电子科技大学 Attribute-based access control method with anonymous access capability
CN112187800A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Attribute-based access control method with anonymous access capability
CN112822159A (en) * 2020-12-28 2021-05-18 杭州趣链科技有限公司 Permission control method and device for block chain account, electronic equipment and storage medium
CN113065153A (en) * 2021-03-08 2021-07-02 北京大数据先进技术研究院 Digital object resource control and authorization method, device, equipment and storage medium
CN114780980A (en) * 2021-06-15 2022-07-22 北京大数据先进技术研究院 Digital object operation evidence storing and tracing management method, device, equipment and medium
CN113344705B (en) * 2021-06-21 2023-03-17 上海计算机软件技术开发中心 Data sharing method and system based on block chain
CN113344705A (en) * 2021-06-21 2021-09-03 上海计算机软件技术开发中心 Data sharing method and system based on block chain
CN114726639B (en) * 2022-04-24 2023-08-22 国网河南省电力公司信息通信公司 Automatic arrangement method and system for access control policy
CN114726639A (en) * 2022-04-24 2022-07-08 国网河南省电力公司信息通信公司 Automatic arrangement method and system for access control strategy
CN115987696B (en) * 2023-03-21 2023-08-08 深圳市永达电子信息股份有限公司 Zero trust security gateway implementation method and device based on block chain structure
CN115987696A (en) * 2023-03-21 2023-04-18 深圳市永达电子信息股份有限公司 Block chain structure-based zero-trust security gateway implementation method and device

Also Published As

Publication number Publication date
CN108123936B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
CN108123936B (en) Access control method and system based on block chain technology
CN110727712B (en) Data processing method and device based on block chain network, electronic equipment and storage medium
WO2022042301A1 (en) Data processing method and apparatus, smart device and storage medium
US20210243193A1 (en) Systems, methods, and apparatuses for implementing consensus on read via a consensus on write smart contract trigger for a distributed ledger technology (dlt) platform
US10671308B2 (en) Private and fault-tolerant storage of segmented data
US11200260B2 (en) Database asset fulfillment chaincode deployment
US11341121B2 (en) Peer partitioning
CN111461723B (en) Data processing system, method and device based on block chain
US11093558B2 (en) Providing accountability of blockchain queries
US20220138212A1 (en) Blockchain implementing reliability database
US11243917B2 (en) Blockchain implementing reliability database
KR20210133289A (en) Data extraction from blockchain networks
CN110599095B (en) Block chain network-based hazardous waste treatment method and node of block chain network
US11669532B2 (en) Blockchain implementing reliability database
JP2022545683A (en) Blockchain database management system
US20200394175A1 (en) Database world state performance improvement
CN115605868A (en) Cross-network identity provisioning
WO2022058183A1 (en) Integrating device identity into a permissioning framework of a blockchain
CN110598434A (en) House information processing method and device based on block chain network, electronic equipment and storage medium
CN111506589B (en) Block chain data service system, access method and storage medium based on alliance chain
CN110597884B (en) Donation collecting method, device, equipment and storage medium based on block chain network
CN112035291A (en) Snapshot recovery
CN111931220A (en) Consensus processing method, device, medium and electronic equipment for block chain network
CN110544042A (en) Book management method and device based on block chain network
CN110851127A (en) Universal evidence storage method based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210413