CN109325331B - Big data acquisition transaction system based on block chain and trusted computing platform - Google Patents
Big data acquisition transaction system based on block chain and trusted computing platform Download PDFInfo
- Publication number
- CN109325331B CN109325331B CN201811069639.XA CN201811069639A CN109325331B CN 109325331 B CN109325331 B CN 109325331B CN 201811069639 A CN201811069639 A CN 201811069639A CN 109325331 B CN109325331 B CN 109325331B
- Authority
- CN
- China
- Prior art keywords
- data
- block
- certificate
- module
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Marketing (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Bioethics (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Virology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a big data acquisition transaction system based on a block chain and a trusted computing platform, which comprises: the system comprises an address verification module, a data acquisition module, a data uploading module, a data credibility verification module and a data reward payment module on a user chain. The system solves the problem of data source shortage by fusing a large-scale personal data island, realizes the all-round link credibility of data by implementing all-round supervision and protection on the operations of data acquisition, storage, packaging and uploading, and protects the user privacy when a data acquisition company authenticates the validity of a public key address on a user chain by using a direct anonymous attestation method; and based on the characteristics of decentralization and automation of the block chain intelligent contract, the public transparency of data reward payment is ensured, so that the contradiction between personal privacy protection and big data acquisition is reconciled to a certain degree, the credibility of a data source is ensured, and the method has practicability and is simple and easy to implement.
Description
Technical Field
The invention relates to the technical field of cloud computing safety, in particular to a big data acquisition transaction system based on a block chain and a trusted computing platform.
Background
With the rapid development of multimedia technology, software technology and storage technology in recent years, technologies such as big data and machine learning deeply affect and change social production life style, but reliable data sources are the premise of implementation, operation and development of the technologies. The popularization of the internet of things equipment provides a solution for the problem of shortage of big data sources, the large-scale internet of things equipment can acquire various data with economic analysis values, such as personal positioning, tracking and recording data, personal health data, personal living habits, favorite data and the like, but no mature solution is provided at present for ensuring the fairness and credibility of data transaction and the privacy of data providers.
Disclosure of Invention
The present application is based on the recognition and discovery by the inventors of the following problems:
the Internet network application technology is rapidly developed and popularized, and the development of web2.0 causes the high-speed increase of network users and network data volume, so that the users have higher requirements on data storage and processing capacity, and the characteristics of cloud computing meet the requirements. The centralized cloud computing service provides great convenience for user storage, and users do not need to care about complex hardware management. Despite these attractive advantages of cloud computing, it also presents new security challenges and threats to data protection: first, traditional encryption for data protection cannot be directly employed since users no longer physically own their data. Secondly, although the devices under cloud computing are more powerful and reliable than personal computing devices, the devices still face internal and external data integrity threats, namely a large amount of < 35274x >, hackers who probe cloud data continuously dig holes in Web applications of service providers to hopefully open the holes and obtain valuable data. Finally, the user with the data priority access right is not the user himself, but the cloud computing service provider. The cloud service provider may have dishonest behavior on the user's data due to interests issues. Private clouds have physical controllability, specificity and high security, so adopting private clouds to store personal private data is an increasing choice today.
The data acquired by the embodiment of the invention is required to come from authenticated hardware physical equipment, and the system is used for authenticating the identity of the sensor equipment of the Internet of things. The traditional authentication mode is based on the principle of cryptography, a secret key is stored in a nonvolatile memory, and the authentication of a physical entity and the protection of secret information in the physical entity are realized through modes such as digital signature and encryption, however, the mode may suffer from physical attacks such as intrusion attack, semi-intrusion attack and side channel attack and is also easily attacked by software such as viruses; the application of the traditional authentication method in the situations of limited resources and poor computing capability also has a plurality of problems and obstacles. Different from the traditional authentication mode, the hardware identity authentication scheme based on the physical unclonable function can effectively solve the problems of secret key storage and identity authentication. PUFs (Physical Unclonable functions) are widely used in digital circuits, and are generally broadly classified into memory-based PUFs and delay-based PUFs. The principle is that random differences and physical inhomogeneities caused by a physical entity in the manufacturing process are extracted by using a certain rule, and an unpredictable response is output on the premise that the entity inputs an excitation, and the response is used as the unique identifier of the physical hardware entity. In PUF schemes for digital circuits, corresponding CRPs (Challenge Response Pairs) may be generated by BIST (build-in self-test circuit) after stimulus input. The PUF technology can solve the problems of identity authentication and management, intellectual property protection, and key generation with excellent properties such as uniqueness, unpredictability, unclonability, and tamper-resistance.
Traditional network security protection means such as firewalls, intrusion detection and virus defense are all focused on protecting the information security of a server, and relatively fragile terminals become the main weak link of the information system security more and more. Aiming at the security requirements of the systems and various attack means, the trusted computing is started from a computer system structure, a trust transfer system is established from the hardware security to ensure the credibility of the terminal, and the trust problems between people and programs, between people and machines and between people are solved from the source. The "Trusted" generally accepted by the industry refers to establishing a Trusted computing environment based on a secure chip, ensuring that a system entity executes according to an expected behavior, wherein the secure chip embedded in a hardware Platform is called a Trusted Platform Module (TPM), and the Platform is called a Trusted computing Platform as a whole. The Trusted Computing Group (TCG) also proposed relevant specifications for trusted computing platforms. Trusted computing platforms commonly have functions of: establishing a trust root to determine a trust anchor point, and establishing a trust chain to ensure that the trust layer is transmitted layer by layer, the platform identity is proved, the platform integrity is proved and the function of supporting the trusted network connection is realized. In order to prevent malicious users from compiling a large amount of false data uploading transactions, the invention adopts a trusted computing technology to provide full-link credibility for data acquisition, storage and processing.
The block chain (Blockchain) technology solves the problems of double consumption and general in Byzanties due to the characteristics of openness of a transaction system, decentralization without depending on any trust mechanism, non-tamper property guaranteed by a timestamp and a digital signature, permanence of legal transactions in the block chain and the like, and realizes an untrusted consensus network system. Then more and more blockchain items come into play, and Ethereum (Ethereum) is a representative one, which is a well-defined information system and supports customized intelligent contracts, and the intelligent contracts are a section of executable code on the blockchain, and when a triggering condition is met, the public transparent intelligent contracts can be automatically executed in a decent manner. This makes etherhouses popular with more and more developers. The invention completes the safety and permanent storage of key data and the fair and automatic payment of data reward based on the block chain technology.
Based on the application requirements and the technical background, the embodiment of the invention provides a credible big data acquisition transaction system for a large-scale personal Internet of things equipment network. The system innovatively integrates private cloud, PUF, trusted computing and block chain technologies, solves the problem of protecting privacy of data providers on the premise of ensuring data authenticity and transaction fairness, and has important significance for integrating data islands and solving the problem of data shortage.
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, the invention aims to provide a big data acquisition transaction system based on a block chain and a trusted computing platform, which reconciles contradictions between personal privacy protection and big data acquisition to a certain extent, ensures the credibility of a data source, and has the advantages of practicality, simplicity and easy implementation.
In order to achieve the above object, an embodiment of the present invention provides a big data acquisition transaction system based on a blockchain and a trusted computing platform, including: the system comprises a user on-chain address verification module, a DCC transaction user white list and a trusted private cloud platform, wherein the user on-chain address verification module is used for communication interaction between a DCC (data collection center), a TTP (trusted third party) and a user to complete a Direct Anonymous Attestation (DAA) protocol, and adds a public key address on a block chain bound with the trusted private cloud platform into the DCC transaction user white list; the Data acquisition module is used for executing Integrity Measurement (Integrity Measurement) of an acquisition program code page while the private cloud platform performs acquisition operation to acquire a first platform state, acquiring and uploading a hardware fingerprint through an internet of things node, and safely generating a Data certificate (Data Credential) by using a Data decapsulation and encapsulation function of the trusted private cloud platform to obtain a basis for verifying Data credibility of a subsequent module; the Data uploading module is used for executing integrity measurement of an uploading program code page to obtain a second platform state, generating a Data Block Credential (Data Block Credential) after being linked and packaged with a Data Credential of any time period, and uploading the Data Block Credential to a system alliance chain in a transaction form through a public key address on a Block chain bound with the trusted private cloud platform; the data credibility verification module is used for receiving a corresponding block number fed back by a user and a corresponding original data set after the DCC publishes a data type expected to be purchased, obtaining an effective block number corresponding to data collected by legal equipment in a credible state by the DCC with the assistance of the TTP, calculating a data block certificate verification value of the effective block, and uploading the data block certificate verification value to an intelligent contract entrance; and the data reward payment module is used for automatically tracing the data block certificate of the effective block recorded on the chain through the intelligent contract, comparing the data block certificate with the verification value submitted by the DCC, and automatically paying data reward to the user according to the number of the successfully compared blocks.
The embodiment of the invention is a big data acquisition transaction system based on a block chain and a trusted computing platform, realizes the all-link trust of data by implementing all-around supervision and protection on data acquisition, storage, packaging and uploading operations, and protects the user privacy when the validity of a public key address on a user chain is authenticated by DCC by using a direct anonymous attestation method; and based on the characteristics of decentralization and automation of a block chain intelligent contract, the public transparency of data reward payment is ensured, so that the contradiction between personal privacy protection and big data acquisition is reconciled to a certain degree, the credibility of a data source is ensured, and the method has practicability and is simple and easy to implement.
In addition, the big data acquisition transaction system based on the block chain and the trusted computing platform according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the user on-chain address verification module is further configured to: generating an anonymous credential issuer TTP key; issuing the anonymous credential to a user side through a TTP and a zero knowledge proof; and calculating the anonymous signature through the user side to realize that the DCC verifies the correctness of the anonymous signature of the user side.
Further, in an embodiment of the present invention, the data acquisition module is specifically configured to: the integrity measurement is carried out on the code page of the acquisition program through the embedded TPM to generate a PCR value and a measurement log, the integrity measurement ensures that the data acquisition process runs in a Trusted Execution Environment (TEE), and the PCR value and the measurement log can be used for verifying the Trusted running of the acquisition process by a subsequent module; randomly selecting one challenge from the registered challenge set through the Internet of things equipment, and obtaining a response through executing BIST, wherein the challenge-response pair is uploaded along with data to obtain the hardware fingerprint; data unpacking and data encapsulation are performed through the TPM, so that data are bound with a trusted platform module, and are bound in a platform state through PCR (polymerase chain reaction), and the subsequent data credibility verification failure can be caused by the operation of tampering and compiling private cloud platform storage data through the application of the technology; and calculating the data voucher corresponding to each time period according to a preset data structure, and outputting the data voucher value of the current time period by inputting the data voucher value containing sensor measurement data, a timestamp, an integrity measurement log, an integrity measurement value, a PUF challenge-response pair and the previous time period.
Further, in an embodiment of the present invention, the data uploading module is specifically configured to: carrying out integrity measurement on a private cloud script program code page uploaded with data to a block chain through the TPM to generate a corresponding measurement log and a PCR value; inputting a data certificate and a timestamp of any time period, and a measurement log and a measurement value generated by performing integrity measurement on an uploading program, executing linking and hashing operations to obtain an output value which is the data block certificate of any time period, and in an established TEE, transmitting a transaction containing the data block certificate through an uplink public key address by an uploading script, so that the transaction is permanently recorded on a alliance chain of the system after being packed and linked.
Further, in an embodiment of the present invention, the data credibility verifying module is specifically configured to: publishing the type of the required Internet of things equipment data through DCC; acquiring a block number of a data block certificate corresponding to the original data according to the data requirement published by the DCC, and sending the block number and the original data to the DCC together; and obtaining the serial number of the effective block with the assistance of the TTP, calculating the data block certificate verification value of the effective block, and uploading the data block certificate verification value to a corresponding interface of the block chain platform.
Further, in an embodiment of the present invention, the data reward payment module is further configured to obtain, by an intelligent contract on the block chain, an effective block number according to a data block credential verification value of an effective block input by the DCC, automatically trace a data block credential record value of the effective block on the chain and compare the data block credential record value with the verification value, and according to the number of successfully verified data block credentials, automatically pay the data reward to the user without being dependent on a third party by the intelligent contract.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic structural diagram of a big data collection transaction system based on a blockchain and a trusted computing platform according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a block chain and trusted computing platform based big data collection transaction system according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a data structure of a data voucher, according to an embodiment of the present invention;
fig. 4 is a diagram illustrating a data structure of an ethernet league chain transaction, according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative and intended to explain the present invention and should not be construed as limiting the present invention.
Before introducing the big data acquisition and transaction system based on the blockchain and the trusted computing platform, the mathematical foundation of the embodiment of the invention is briefly introduced.
(1) Bilinear mapping e:
let p be a large prime number,
and
is two cyclic groups of order p, g is
Is generated by the one of the generators of (1),
is a bilinear map. If e satisfies the following property, we call
And
is a bilinear group:
the bilinear characteristic: for the
With e (u)a,ub)=e(u,v)ab=e(ub,va);
Non-degradability:
at least one element g is present in the group such that the calculated e (g, g) is
A certain generator of the group, i.e. e (g, g) ≠ 1;
(iii) computability: there are efficient algorithms that make all
The value of e (u, v) can be efficiently calculated.
(2) q-SDH assumption (q-Strong Diffie-HellmanAssumtion, q-SDH):
is negligible. Wherein
Psi is a slave group
To
Is isomorphic. Psi (g)2)=g1。
(3) Knowledge signature: the embodiment of the invention uses a knowledge signature tool when constructing a direct anonymous attestation scheme. It allows a party to prove that he knows a secret value without revealing any useful information. Such tools are essentially zero knowledge proofs or minimal leakage proofs of knowledge. For example:
means "proof of zero knowledge about integers α, β, δ, and y ═ gαhβ,
And (u ≦ α ≦ v) ", wherein
Is a group
And group
Of (1). Meanwhile, the Fiat-Shamir heuristic can be used to convert the zero-knowledge proof into a knowledge signature for the message m, which can be written as SPK { (α): y ═ g { (α) }α}(m)。
(4) Anti-collision hash algorithm:
the anti-collision hash function used in the embodiment of the invention has two basic characteristics: unidirectionality and impact resistance; unidirectional means that the input can only be from a hash functionDeriving an output without computing an input from the hash function output; collision resistance means that two different inputs cannot be found at the same time so that their hash results are identical. The hash algorithm in the present invention inputs plain text and outputs mapping to domain
Of (1).
The following describes a big data acquisition transaction system based on a block chain and a trusted computing platform according to an embodiment of the present invention with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a big data collection transaction system based on a blockchain and a trusted computing platform according to an embodiment of the present invention.
As shown in fig. 1, the big data collection transaction system 10 based on a blockchain and a trusted computing platform includes: the system comprises a user chain address verification module 100, a data acquisition module 200, a data uploading module 300, a data credibility verification module 400 and a data reward payment module 500.
The user on-chain address verification module 100 is used for communication interaction among the DCC of the data acquisition company, the TTP of the trusted third party and the user to complete a direct anonymous attestation protocol, and adds the public key address on the block chain bound with the trusted private cloud platform into a DCC transaction user white list. The data acquisition module 200 is configured to execute integrity measurement of an acquisition program code page while performing acquisition operation on the private cloud platform to acquire a first platform state, acquire and upload a hardware fingerprint through an internet of things node, and securely generate a data certificate by using a data decapsulation and encapsulation function of the trusted private cloud platform to obtain a basis for verifying data credibility of a subsequent module. The data uploading module 300 is configured to execute integrity measurement of an uploading program code page to obtain a second platform state, link and package the second platform state with a data credential in any time period to generate a data block credential, and upload the data block credential to the system alliance chain in a transaction form through a block chain public key address bound to the trusted private cloud platform. The data credibility verification module 400 is configured to receive a corresponding block number and a corresponding original data set fed back by a user after the DCC publishes a data type expected to be purchased, obtain, with the assistance of the TTP, an effective block number corresponding to data collected by a legitimate device in a trusted state by the DCC, calculate a data block credential verification value of the effective block number, and upload the data block credential verification value to the intelligent contract entry. The data reward payment module 500 is configured to automatically trace back the data block credential of the valid block recorded on the chain through the intelligent contract, and compare the data block credential with the verification value submitted by the DCC, so as to disclose and automatically pay data reward to the user according to the number of successfully compared blocks. The system 10 of the embodiment of the invention solves the problem of shortage of data sources by fusing large-scale personal data islands, can realize fair and transparent data transaction, ensures the credibility of transaction data and simultaneously can protect the privacy of data providers.
It can be understood that, with the system 10 of the embodiment of the present invention, on one hand, the data collection company can verify the reliability and integrity of the purchased data; on the other hand, data providers can be publicly and transparently paid automatically for data rewards while maintaining anonymity. The system provided by the invention comprises the following 3 network entities:
(1) data Collection Company (DCC): enterprise organizations wishing to purchase personal internet of things device record data and provide trusted computing platform devices and transaction network platforms;
(2) user (User): individuals who own smart devices and certify trusted computing platforms and are willing to conduct data transactions;
(3) trusted Third Party (Trusted Third Party, TTP): registries of user smart devices, CRPs, issuers of anonymous certificates (issuers) in the DAA protocol, and organizations that can evaluate and securely audit the operating state submitted by trusted computing platforms.
Specifically, the embodiment of the present invention relates to a trusted big data collection transaction system 10 based on PUF, trusted computing, and block chain technology, which includes an address verification module 100, a data collection module 200, a data upload module 300, a data credibility verification module 400, and a data reward payment module 500 on a user chain, and the system flow is as follows: 1. user chain address verification module 100: DCC, TTP and user three-party communication interaction complete a direct anonymous attestation protocol, public key addresses on a block chain bound with a trusted private cloud platform are added into a DCC transaction user white list, and meanwhile, identity information of any user is not leaked; 2. the data acquisition module 200: executing integrity measurement of an acquisition program code page to obtain a first platform state, then obtaining and uploading a hardware fingerprint by an internet of things node, wherein the two are bases for verifying data credibility of a subsequent module, and then safely completing generation of a data certificate by using a data unsealing and packaging function of a private cloud platform; 3. the data uploading module 300: executing integrity measurement of an uploading program code page to obtain a second platform state, linking and packaging data such as a data certificate to generate a data block certificate, and uploading the data block certificate to a system alliance chain in a transaction form through a block chain public key address bound with a legal and trusted private cloud platform to achieve the purpose of permanent recording; 4. data trustworthiness verification module 400: after the DCC publishes the data type expected to be purchased, the user feeds back a corresponding block number and a corresponding original data set, the DCC obtains an effective block number corresponding to data acquired by legal equipment in a trusted state with the assistance of TTP, calculates a data block certificate verification value of the effective block number and uploads the data block certificate verification value to an intelligent contract entrance; 5. data reward payment module 500: the intelligent contract automatically traces back the data block certificate of the effective block recorded on the chain, compares the data block certificate with the verification value submitted by the DCC, and automatically pays data remuneration to the user according to the number of the successfully compared blocks.
The main idea is as follows: a PUF technology is used on a personal Internet of things equipment node to obtain an equipment hardware fingerprint as a 'pass' of hardware equipment admission authentication. And the private cloud platform embedded into the trusted platform module guarantees the credibility of a data link from the authenticated Internet of things node equipment to the private cloud platform by collecting integrity measurement and data decapsulation operations of the data code page. The data provider provides a public key address on a block chain bound with the TPM of the certification to a data collection company in a direct anonymous certification mode, and meanwhile, the anonymity of the data provider can be kept, and the purpose of privacy protection is achieved. Finally, under the support of a trusted third party, the data collection company can verify the credibility of the data provided by the data provider, and the data remuneration is paid fairly and fairly through an intelligent contract on the block chain.
The big data collection transaction system 10 based on blockchain and trusted computing platform will be further described with reference to specific embodiments.
Further, in an embodiment of the present invention, the user-linked address verification module 100 is further configured to: generating an anonymous credential issuer TTP key; issuing an anonymous certificate to the user side through the TTP and the zero knowledge proof; and calculating the anonymous signature through the user side to realize the verification of the correctness of the anonymous signature of the user side by the DCC.
It can be appreciated that the user uploads the data block credential cre _ blockiThe channel of (i ═ 1, 2..., N) is a blockchain, with public key addresses on the blockchain bound to the private cloud platform that the user holds with a legitimate TPM embedded therein
And initiating a transaction, wherein the transaction is finished by a way of permanently storing the transaction by a miner packaging uplink.
The addition of the DCC tradeable user chain address white list is realized by means of the DAA protocol completed by the three-party communication interaction of the user, the DCC and the TTP. The TTP serves as an issuer and is used for issuing an anonymous certificate to a private cloud platform embedded with a legal TPM; the user side, namely the trusted private cloud computing platform side serves as a prover, the task is to provide a DAA signature for the verifier, and the signed message is a public key address on a user chain; the DCC acts as a verifier with the task of verifying the correctness of the DAA signature provided by the prover to decide whether to add the signed address to the tradable white list.
The implementation of the module 100 is specifically divided into 4 steps which are executed in sequence, and the sequence is as follows:
step 1: KeyGen: generating an anonymous credential issuer TTP key;
step 2: DAA-Join: the TTP issues an anonymous voucher to the user side through zero knowledge proof;
and step 3: DAA-Sign: the user side calculates an anonymous signature;
and 4, step 4: DAA-Verify: the DCC verifies the correctness of the anonymous signature of the user terminal.
Specifically, step 1: KeyGen: TTP selection
The order of the group is p, the length is k, and there is a bilinear mapping:
ψ(g2)=g1selecting
Computing
The key pair for the TTP is: (pk, sk) ═ p, g1,g2,g3,Y,g,h),r)。
Step 2: DAA-Join:
(1) private cloud embedded TPM selection secret information
Random number
Signature identifier ssid (sol _ Signature identifier), calculating η ═ H1(SSID), calculating the Pedersen commitment C ═ gfht′And then the private cloud trusted platform module proves to possess secret knowledge f, t': random selection
Computing
Sending the data to the TTP; TTP random selection
Sending the data to a private cloud platform; TPM calculation sf=rf+cf,st'=rt'+ ct', send sfAnd st'Giving TTP; TTP authentication
(2) TTP selection
t”∈RIi/p, calculate A ═ g1Cht”)1/(y+x)Sending A, x and t' to the private cloud.
(3) The private cloud host stores A and x, and sends t' to the TPM.
(4) The TPM calculates t ═ t' + t ", stores f, t, verifies whether the following equation holds:
and step 3: DAA-Sign:
(1) private cloud host random selection
Calculating T1=(Ahw),T2=gwh-x,T1And T2Is a commitment to a and x, proving that the following two equations hold:
e(T1,Y)/e(g1,g2)=e(h,Y)we(h,g2)wx+te(g,g2)f/e(T1,g2)x,
(2) the private cloud platform is proved to have knowledge f, x, w and t, and the above equation is satisfied. Calculating the auxiliary value delta1=wx,δ2-xx. TPM random selection of rf∈ⅱ/p,rtE.g. ii/p, calculating
Will be provided with
And sending the data to the private cloud host.
Private cloud host selection
And (3) calculating:
private cloud host computing:
ch=H(η||g||h||g1||g2||g3||gT||Y||T1||T2||T3||R1||R2||R3||R4);
sending chTo the TPM.
TPM selection
Calculating c ═ H (c)h||nt) I | m), where the signed message m is a public key address on the user block chain bound to the legitimate trusted private cloud platform.
Private cloud host meterCalculating out
TPM calculation sf=rf+cf,st=rt+c(-t)。
Private cloud host output signature δ ═ (δ, T)1,T2,T3,c,nt,sf,sx,st,sw,sδ1,sδ2)。
And 4, step 4: DAA-Verify:
(1) signature of public key address m on given user block chain
And a public key (p, g)1,g2,gTY, g, h), DCC calculation:
(2) the DCC verifies whether the following equation holds:
and if yes, adding m into a white list of the public key address of the tradeable user.
Further, in an embodiment of the present invention, the data acquisition module 200 is specifically configured to: carrying out integrity measurement on the code page of the collected program through the embedded TPM to generate a PCR value and a measurement log; randomly selecting one challenge from the registered challenge set through the Internet of things equipment, and obtaining a response through executing BIST, wherein the challenge-response pair is uploaded along with data to obtain a hardware fingerprint; data unsealing and data encapsulation are carried out through the TPM, so that a data certificate stored in the previous period is bound with the trusted platform module, and is bound in a platform state through a PCR value; and calculating the data voucher corresponding to each time period according to a preset data structure, and outputting the data voucher value of the current time period by inputting the data voucher value comprising sensor measurement data, a timestamp, an integrity measurement log, an integrity measurement value, a PUF challenge-response pair and the previous time period.
It is understood that, as shown in fig. 2, the data acquisition module 200 is divided into 4 steps to be performed sequentially, as follows.
Step 1: collecting program code page integrity measurement: when the private cloud Platform collects data, the embedded TPM performs integrity measurement on a code page where a collection program is located, and generates a PCR value and a measurement log stored in a Platform Configuration Register (PCR). Integrity measurement ensures that the data acquisition process runs in a trusted execution environment, and the PCR values and the measurement log can be used by subsequent modules to verify whether the acquisition process runs trustfully.
Step 2: acquiring hardware fingerprints of the Internet of things equipment: the Internet of things equipment of a user registers CRPs (cross-reference characters) at a TTP (time to live) before leaving a factory, when the private cloud platform collects data of the Internet of things equipment each time, the Internet of things equipment selects one challenge from a registered challenge set, a response is obtained by executing BIST (built-in self-test), and the challenge-response pair is uploaded to the private cloud along with the data, so that the equipment for uploading the data is equipment with a corresponding hardware identity.
And step 3: data decapsulation and encapsulation: after the data of the Internet of things equipment is uploaded to the private cloud platform, the TPM executes data unsealing and data encapsulation operation to guarantee the safe generation of the data certificate, the data encapsulation binds the data with a trusted platform module, and meanwhile, the data is bound in a platform state through PCR, so that the credibility of the system operation environment and the data is guaranteed. Due to the application of the technology, the subsequent data credibility verification fails due to the operation of tampering and compiling the private cloud platform to store data, so that the counterfeiting of the Internet of things equipment data is prevented.
And 4, step 4: and (3) data certificate generation: calculating the data certificate cre _ data corresponding to each time interval according to the data structure shown in figure 3i(i ═ 1, 2.., N). The input comprises sensor measurement data, a timestamp, an integrity measurement log, an integrity measurement value, a PUF challenge-response pair and a data certificate value of a previous time period, the algorithm is in a nested hash mode, and the output is the data certificate value of the current time period.
Specifically, step 1: collecting program code page integrity measurement: the security state of the key code running when the trusted private cloud platform executes data acquisition operation can be obtained, and it is ensured that data which passes the subsequent credibility verification is acquired in the trusted execution environment.
Integrity measurement is one of the functions of TPM, in effect, the process of computing a hash value of a measured object over it using a cryptographic hash algorithm. The input of the hash operation is the code page where the collected data program is located, the output hash value is the integrity measurement value of the code page, the TPM records the measurement value into the appointed PCR, and the recording method is as follows: the new PCR value is a hash cipher algorithm (original PCR value | metric value). When the platform executes the integrity measurement operation, the measurement process information is recorded into the platform event log, and the content comprises: the measurement information, the measured information, the original PCR value, the measurement value, the new PCR value and the completion time. Before the private cloud executes data acquisition operation each time, the embedded TPM executes the operation once, and generates a PCR value and a measurement log of a key program code page as one of input of data packaging operation.
Step 2: acquiring hardware fingerprints of the Internet of things equipment: the invention adopts the PUF (static random access memory) based on storage (such as SRAM PUF) to realize the authentication scheme of the hardware identity of the equipment in the Internet of things. By utilizing the variation difference in the production and manufacturing process to cause the mismatching of the parameters of the symmetrical units in the SRAM, after the SRAM is powered on, the bistable units of the SRAM nodes enter an unstable state and continuously oscillate back to a stable state of 0 or 1 in the unstable state, and a corresponding response is obtained. Before the Internet of things equipment transmits data to the private cloud each time, a pair of CRPs registered at the TTP is selected, and the stimulus C is input to the internal self-test circuit to obtain the response R of the PUF. Each hardware device generates a unique identity code for identity authentication by relying on the PUF embedded in the hardware device, and the identity code (challenge-response pair of the PUF) is uploaded to a private cloud along with data to prepare conditions for verifying the credibility of the subsequent data.
And step 3: data decapsulation and encapsulation: after receiving the identity authentication information and the sensor recording data sent by the internet of things equipment, the private cloud and the previously collected data are compressed and packaged. To ensure the security of previously generated data compression values, the present invention uses data encapsulation and decapsulation techniques. The data encapsulation and decapsulation operations are to bind the critical data with a specific platform state (PCR value) and trusted platform module, so that the data is not only bound to one trusted platform module, but also bound to one platform state through PCR.
For example, H is generated during the ith sub-period within the 1 st periodiH generated for the (i-1) periodi-1And (3) deblocking, wherein the deblocking operation comprises the following specific steps:
(1) reading H generated by (i-1) th sub-period package from designated PCRi-1:
Hi-1||PCR_valuei-1||TPM_Proof=Decrypt(key,sealedDatai-1);
(2) Comparing whether the current PCR value is the same as the decrypted PCR _ value or not by the TPM;
(3) the TPM compares whether the decrypted TPM _ Proof is the same as the internally stored value or not;
(4) if the comparison is the same, outputting Hi-1。
Wherein, the TPM _ Proof is a TPM unique identifier. With Hi-1And the rest of related data are used as input, data packaging operation is carried out, and a data certificate H of the ith time interval is generatediAnd to HiExecuting data packaging operation to ensure the safe storage of the data certificate in the time period from i to (i +1), namely executing the following operation:
sealedDatai=Encrypt(key,(Hi||PCR_valuei||TPM_Proof))。
and 4, step 4: and (3) data certificate generation: calculating the data certificate cre _ data corresponding to each time interval according to the data structure shown in figure 3i(i ═ 1, 2.., N). N sub-periods within each period are set. H generated with ith sub-period of 1 st periodiFor example, the following steps are carried out:
Hi=h(mi||ti||PCR_logi||PCR_valuei||Ci||Ri||Hi-1)(i=1,2,...,n),
i.e. tiInternet of things device data uploaded to a private cloud platform at any moment, real-time timestamp, integrity measurement log and PCR value during running of a collection program, input stimulus and output response of an Internet of things device PUF and generation H of the (i-1) th sub-periodi-1Chaining and performing hash operation. Hi-1(where i 2, 3.. times.n) must be read out after a data decapsulation operation, thus ensuring that the data certificate before the ith sub-period is not tampered with. After n sub-periods, generating a data certificate H of the first periodn(i.e., cre _ data)1)。
Further, in an embodiment of the present invention, the data uploading module 300 is specifically configured to: carrying out integrity measurement on a script program code page uploaded to a block chain by using the TPM to generate a corresponding measurement log and a PCR value; inputting a data certificate and a timestamp in any time period, and a measurement log and a measurement value generated by performing integrity measurement on an uploading program, executing linking and hashing operations to obtain a data block certificate with an output value in any time period, and in the established TEE, sending a transaction containing the data block certificate by an uploading script through a public key address on a chain, so that the transaction is permanently recorded on a alliance chain of the system after being packed and linked.
It can be understood that, as shown in fig. 2, the data uploading module 300 specifically includes:
step 1: uploading program code page integrity measurement: and the TPM embedded in the private cloud platform performs integrity measurement on the script code page of the block chain to which the data is uploaded, and generates a corresponding measurement log and a PCR value for verifying the credibility of the subsequent uploading process.
Step 2: generating and uploading a data block certificate: the data chunk voucher is a voucher that is eventually recorded on the chunk chain. And inputting a data certificate, a timestamp, a measurement log generated by measuring the integrity of the uploading program and a measurement value in a certain time period, wherein an output value obtained after the linking and hashing operations is the data block certificate in the certain time period. Thereafter, in the created TEE, the upload script passes
The public key address on the chain sends the transaction containing the data block certificate, and the transaction is packaged and linked up and then is permanently recorded on the alliance chain of the system.
Specifically, step 1: uploading program code page integrity measurement: assuming that a user side uploads N data block certificates, a TPM embedded in a private cloud platform measures the integrity of a script program code page uploaded to a block chain by data, and generates a measurement log PCR _ log related to a data uploading scriptjAnd PCR _ valuej(j 1, 2.., N), the subsequent data credibility link may determine the credibility of the uploading process according to the two information.
Step 2: generating and uploading a data block certificate: the data block certificate is a certificate finally recorded on the block chain, and the data structure of the data block certificate is as follows:
cre_blockj=h(tj||PCR_logj||PCR_valuej||cre_dataj)(j=1,2,...,N),
cre_blockjto be tjTime stamp of time, measurement log generated after the trusted private cloud platform executes integrity measurement operation on the uploaded script program code page, PCR value and cre _ data generated in the jth time periodj(j ═ 1, 2.., N) concatenated and hashed to produce a value. Then, in the established TEE, uploading script passes through the chain public key address
SendingThe transaction containing the data block credential (as shown in fig. 4) goes to the transaction pool to wait for the mineworker to pack. After the miners finish the workload certification, the blocks containing the transaction are generated and broadcast, and when enough blocks are linked after the blocks, the data transaction voucher can be considered to be permanently recorded on the block chain.
In fig. 4, (1) nonce represents a block number; (2) operations such as issuing transactions and executing and calling contract functions in the ether house consume a certain amount of cost, and the count is carried out by taking gas as a unit. gasLimit is the maximum amount of gas allowed for a single case, gasrice is the set gas price, typically in units of GWei (1ETH 1000000000 GWei); (3) the Recipient is the collection account of the transaction, the transaction belongs to the message call transaction type in the EtherFang transaction, so the value is the user who initiates the transaction of the data block voucher; (4) value is transfer amount, and the Value is 0 because the transaction used by the invention is only used for data recording; (5) v, r, s are parameters necessary for miners to carry out ECDSA signature; (6) the data is a data block certificate, and the blocks are packaged and uplinked and then are permanently recorded and stored.
Further, in an embodiment of the present invention, the data credibility verification module 400 is specifically configured to: publishing the type of the required Internet of things equipment data through DCC; acquiring a block number of a data block certificate corresponding to the original data according to the data requirement published by the DCC, and sending the block number and the original data to the DCC together; and tracing the corresponding transaction and data block voucher according to the block number obtained by feedback, obtaining the number of the effective block with the assistance of the TTP, further calculating the data block voucher verification value of the effective block, and uploading the data block voucher verification value to a corresponding interface of the system data reward payment module.
It is understood that, as shown in fig. 2, the data credibility verification module 400 specifically includes:
step 1: DCC publishes data requirements: the DCC publishes the type of the required Internet of things equipment data, such as equipment type, data meaning type and the like.
Step 2: the user feeds back the block number and sends the original data: and the user finds out the block number where the data block certificate corresponding to the required original data is located according to the data requirement published by the DCC, and sends the block number and the original data to the DCC together.
And step 3: generating a data block certificate verification value of the effective block: and the DCC traces back the corresponding transaction and data block certificates according to the block numbers obtained by feedback, and obtains the serial numbers of the effective blocks under the assistance of the TTP, wherein the effective blocks are obtained by uploading the corresponding data block certificates by the Internet of things equipment with authenticated hardware identities, and performing acquisition, storage, packaging and uploading operations in the TEE. DCC calculates the data block certificate verification value of the effective block according to the method of the present invention and the original data uploaded by the user and the serial number of the effective block, and inputs the data block certificate verification value of the effective block at the interface of the block chain payment platform.
Specifically, step 1: DCC publishes data requirements: the DCC publishes the type of data desired for purchase by establishing the terms content of the intelligent contract on the blockchain. The public key address of the DCC issuing the intelligent contract is public, the public key address can be informed to the user in the modes of advertisement and official website announcement, and the user can execute subsequent operations such as feedback block numbering and the like only if the public key address of the issuer of the intelligent contract and the issued account address are compared by the user to be the same.
And 2, step: the user feeds back the block number and sends the original data: the user finds out the block number (assumed to be 1..., N) where the data block certificate corresponding to the required original data is located according to the data requirement published by the DCC, and sends the block number and the original data to the DCC together. The raw data contains:
(1) sensor measurement data: m ═ M1,...,mn;...;m(N-1)n,...,mNn};
(2) Time stamping: t is1={t1,...,tn;...;t(N-1)n,...,tNnAnd T2={tA,...,tA+N};
(3) Internet of things device PUF challenge-response set:
C={C1,...,Cn;...;C(N-1)n,...,CNnr ═ R1,...,Rn;...;R(N-1)n,...,RNn};
(4) Collecting a program integrity measurement log:
LOG1={PCR_log1,...,PCR_logn;...;PCR_log(N-1)n,...,PCR_logNn};
(5) collecting a program integrity measurement value:
PCR1={PCR_value1,...,PCR_valuen;...;PCR_value(N-1)n,...,PCR_valueNn};
(6) the voucher uploads a program integrity measurement log: LOG2={PCR_logA,...,PCR_logA+N};
(7) And (3) uploading a program integrity metric value by the certificate: PCR2={PCR_valueA,...,PCR_valueA+N}。
And step 3: generating a data block certificate verification value of the effective block: the DCC traces back the data block credential values recorded in the N blocks based on the block number submitted by the user. DCC converts C, R, LOG in the original data1,PCR1,LOG2,PCR2To the TTP. And the TTP inquires the registered corresponding response R value according to the received PUF excitation C, and if the Hamming distance between the registered response and the received response is smaller than the threshold epsilon, the identity authentication of the node of the Internet of things is passed. And for the integrity measurement value and the measurement log of the acquisition program and the voucher uploading program, the TTP judges whether the PCR value is from a correct measurement process by analyzing the integrity measurement event log information, then compares the PCR value with a registered platform integrity reference value, and if the values are the same, the private cloud platform for sending data is in a credible state when executing related operations. If the above verifications are passed, the TTP considers that the data corresponding to the block is authentic, and the TTP sends the numbers of the valid blocks to the DCC. The DCC calculates the data block certificate verification value of the valid block according to the method of the present invention using the user uploaded data, and permanently records it on the block chain through the intelligent contract interface.
Further, in an embodiment of the present invention, the data reward payment module 500 is further configured to input a data block credential verification value and an effective block number worth of an effective block to an interface of the DCC according to a block chain intelligent contract, automatically trace back and compare corresponding data block credential record values on the contract, and automatically pay data reward to the user without being relied on by a third party according to the number of data block credentials successfully verified.
It can be understood that, as shown in fig. 2, the intelligent contract on the block chain obtains the valid block number according to the data block credential verification value of the valid block input by the DCC, the contract automatically traces back the corresponding data block credential record value on the chain and compares the data block credential record value with the data block credential record value, if the comparison result is the same, it is verified that the state of the platform is authentic and the sensor data is not tampered when the user uploads the data, and if the comparison result is not the same, the data is verified to be invalid. According to the number of the data block certificates which are successfully verified, the intelligent contract is not depended by a third party and automatically pays data remuneration to the user.
Specifically, the data reward payment module 500 is located at an intelligent contract end of an ethernet workshop of the trusted big data acquisition transaction system, an intelligent contract is issued by a DCC and is respectively reserved for a user and a different interface of the DCC end, the operations of the DCC and the user for calling the contract are realized through a web3 module provided by the ethernet workshop, all the calling operations for the contract finally enter a transaction pool in a transaction form, and the operations of the packaged uplink are recorded on a block chain in a public and permanent mode. The DCC is allowed to input a data block certificate verification value of a valid block and a public key address of a corresponding user at an intelligent contract interface, the contract automatically traces back data block certificates recorded by related blocks, corresponding data remuneration is automatically paid to the user public key address according to the comparison of the same number of the blocks, contract payment operation enters a transaction pool in a transaction form to wait for packaging, a block containing the transaction is generated and broadcasted after a miner finishes workload certification, and when enough blocks are linked behind the block, the data transaction certificate can be considered to be permanently recorded on a block chain, so that payment is finished.
To sum up, the embodiment of the present invention provides a trusted big data acquisition and transaction system combining a PUF technology, a trusted computing technology, and a blockchain technology, which can be used for data island fusion and transaction of personal devices of a large-scale internet of things on the premise of ensuring data credibility and transaction fairness, and protect personal identity privacy from being revealed, and has the advantages and effects that:
1) the embodiment of the invention combines the PUF technology, the trusted computing technology and the block chain technology, and the PUF ensures that the acquired data come from authenticated hardware equipment; the trusted platform module ensures the safety of data acquisition, storage and uploading operations; and generating a tamper-proof data block certificate record ledger by the block chain. The system ensures the credibility of the full link of collection, storage, packaging and uploading.
2) According to the embodiment of the invention, privacy protection is carried out on the public key address on the user chain by using direct anonymous certification, DCC can only prove that the chain account which carries out data transaction with DCC is indeed bound with a private cloud platform embedded with legal TPM, but can not obtain any other information except the validity of the private cloud platform, so that the privacy of the user side is protected.
3) Based on the characteristics of decentration and automation of the block chain supporting intelligent contract function, the system ensures fair, transparent and automatic payment of remuneration and solves a great worry of the user.
According to the big data acquisition transaction system based on the block chain and the trusted computing platform, all-around supervision and protection are implemented on data acquisition, storage, packaging and uploading operations, all-link trust of the data is achieved, and user privacy is protected when the validity of a public key address on a user chain is authenticated by DCC through a direct anonymous attestation method; and based on the characteristics of decentralization and automation of the block chain intelligent contract, the public transparency of data reward payment is ensured, so that the contradiction between personal privacy protection and big data acquisition is reconciled to a certain degree, the credibility of a data source is ensured, and the method has practicability, simplicity and easiness in implementation.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless explicitly specified otherwise.
In the description of the specification, reference to the description of "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (5)
1. A big data acquisition transaction system based on a blockchain and a trusted computing platform is characterized by comprising:
the system comprises a user on-chain address verification module, a DCC transaction user white list and a trusted private cloud platform, wherein the user on-chain address verification module is used for communication interaction between a DCC of a data acquisition company, a TTP of a trusted third party and a user to complete a direct anonymous attestation protocol, and adds a public key address on a block chain bound with the trusted private cloud platform into the DCC transaction user white list; generating an anonymous credential issuer TTP key; issuing an anonymous certificate to the user side through the TTP and the zero knowledge proof; calculating an anonymous signature through the user side to realize that the DCC verifies the correctness of the anonymous signature of the user side;
the data acquisition module is used for executing integrity measurement of an acquisition program code page while the trusted private cloud platform performs acquisition operation to acquire a first platform state, acquiring and uploading a hardware fingerprint through an internet of things node, and generating a data certificate by using data decapsulation and encapsulation functions of the trusted private cloud platform to obtain a basis for verifying data credibility of a subsequent module;
the data uploading module is used for executing integrity measurement of an uploading program code page to obtain a second platform state, generating a data block certificate after the data block certificate is linked and packaged with the data certificate in any time period, and uploading the data block certificate to a system alliance chain in a transaction mode through a public key address on a block chain bound with the trusted private cloud platform;
the data credibility verification module is used for receiving a corresponding block number fed back by a user and a corresponding original data set after the DCC publishes a data type expected to be purchased, obtaining an effective block number corresponding to data collected by legal equipment in a credible state by the DCC with the assistance of the TTP, calculating a data block certificate verification value of the effective block, and uploading the data block certificate verification value to an intelligent contract entrance;
and the data reward payment module is used for automatically tracing the data block certificate of the effective block recorded on the chain through the intelligent contract, comparing the data block certificate with the verification value submitted by the DCC, and automatically paying data reward to the user according to the number of the successfully compared blocks.
2. The big data collection transaction system based on the blockchain and the trusted computing platform as claimed in claim 1, wherein the data collection module is specifically configured to:
integrity measurement is carried out on the code page of the acquisition program through a trusted platform module embedded in the trusted private cloud platform, and an integrity measurement value and a measurement log are generated;
randomly selecting one challenge from the registered challenge set through the Internet of things equipment, obtaining a response through executing BIST, obtaining the hardware fingerprint, and uploading the challenge-response pair together with data;
performing data unsealing and data encapsulation through the trusted platform module, binding a data certificate generated in the previous period with the trusted platform module, and binding the data certificate in a platform state through the integrity metric value;
and calculating the data voucher corresponding to each time period according to a preset data structure, inputting the data voucher comprising sensor measurement data, a timestamp, an integrity measurement log, an integrity measurement value, a PUF challenge-response pair and a data voucher value of the previous time period, and outputting the data voucher value of the current time period.
3. The big data collection transaction system based on the blockchain and the trusted computing platform as claimed in claim 1, wherein the data upload module is specifically configured to:
integrity measurement is carried out on a script program code page of the block chain from the uploaded data through a trusted platform module, and a corresponding measurement log and an integrity measurement value are generated;
inputting a data certificate and a timestamp in any time period, and a measurement log and an integrity measurement value generated by measuring the integrity of an uploading program, executing linking and hashing operations to obtain an output value which is the data block certificate in any time period, and in an established trusted execution environment, transmitting a transaction containing the data block certificate by an uploading script through a public key address on a chain, so that the transaction is permanently recorded on a alliance chain of the system after being packed and linked.
4. The big data collection transaction system based on a blockchain and trusted computing platform according to claim 1, wherein the data credibility verification module is specifically configured to:
publishing the type of the required Internet of things equipment data through DCC;
according to the data requirement published by the DCC, a user inquires a block number where a data block certificate corresponding to the original data is located, and the block number and the original data are sent to the DCC together;
and the DCC traces back the corresponding transaction and data block certificate according to the block number obtained by feedback, obtains the number of the effective block with the assistance of the TTP, calculates the data block certificate verification value of the effective block and uploads the data block certificate verification value to the intelligent contract entrance.
5. The blockchain and trusted computing platform based big data collection transaction system of claim 1, wherein the data reward payment module is further to: the intelligent contract on the block chain obtains an effective block number according to a data block certificate verification value of an effective block input by the DCC, automatically traces back a data block certificate record value of the effective block on the chain and compares the data block certificate record value with the verification value, and automatically pays the data compensation to the user without being dependent by a third party according to the number of the successfully verified data block certificates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811069639.XA CN109325331B (en) | 2018-09-13 | 2018-09-13 | Big data acquisition transaction system based on block chain and trusted computing platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811069639.XA CN109325331B (en) | 2018-09-13 | 2018-09-13 | Big data acquisition transaction system based on block chain and trusted computing platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109325331A CN109325331A (en) | 2019-02-12 |
| CN109325331B true CN109325331B (en) | 2022-05-20 |
Family
ID=65265796
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811069639.XA Active CN109325331B (en) | 2018-09-13 | 2018-09-13 | Big data acquisition transaction system based on block chain and trusted computing platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109325331B (en) |
Families Citing this family (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110059497B (en) * | 2019-02-19 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Method, node and storage medium for implementing privacy protection in block chain |
| CN110309634B (en) * | 2019-04-04 | 2020-12-22 | 深圳大通实业股份有限公司 | Credible advertisement data management system based on block chain |
| CN110278193B (en) * | 2019-05-20 | 2021-06-01 | 创新先进技术有限公司 | Receipt storage method and node combining code marking with transaction and event types |
| CN110336663B (en) * | 2019-06-14 | 2021-11-30 | 东南大学 | PUFs group-to-group authentication method based on block chain technology |
| CN110324422B (en) * | 2019-07-05 | 2020-08-28 | 北京大学 | Cloud application verification method and system |
| CN110347607A (en) * | 2019-07-16 | 2019-10-18 | 北京首汽智行科技有限公司 | A kind of data cochain test method |
| CN110442631A (en) * | 2019-08-07 | 2019-11-12 | 北京艾摩瑞策科技有限公司 | About the knowledge payment associated data processing method and its device on block chain |
| WO2021034264A1 (en) * | 2019-08-22 | 2021-02-25 | Quantumciel Pte. Ltd. | Device, system and method for providing information security |
| FR3101991B1 (en) * | 2019-10-09 | 2022-08-05 | Casanova Pierre Francois | Object Authentication and Assurance System and Method |
| CN112751807B (en) * | 2019-10-31 | 2023-02-03 | 中国电信股份有限公司 | Secure communication method, device, system and storage medium |
| CN110809058B (en) * | 2019-11-13 | 2020-10-27 | 北京物资学院 | Block chain traceability system and method based on feature code identification and verification technology |
| CN110875930A (en) * | 2019-11-21 | 2020-03-10 | 山东超越数控电子股份有限公司 | Method, equipment and medium for monitoring trusted state |
| CN111177096A (en) * | 2019-12-11 | 2020-05-19 | 招银云创(深圳)信息技术有限公司 | Log management method and device, computer equipment and storage medium |
| CN110912712B (en) * | 2019-12-18 | 2022-03-08 | 东莞市大易产业链服务有限公司 | Service operation risk authentication method and system based on block chain |
| CN111274594B (en) * | 2020-01-20 | 2022-09-16 | 上海市大数据中心 | Block chain-based secure big data privacy protection sharing method |
| CN111428249B (en) * | 2020-01-20 | 2022-06-28 | 中国科学院信息工程研究所 | Anonymous registration method and system for protecting user privacy based on block chain |
| CN111783133B (en) * | 2020-06-02 | 2023-06-30 | 广东科学技术职业学院 | Network resource management method based on block chain technology |
| CN111950021A (en) * | 2020-07-31 | 2020-11-17 | 南京航空航天大学 | Method for solving privacy disclosure problem in data presentation of intelligent contract |
| CN111738725B (en) | 2020-07-31 | 2020-12-22 | 支付宝(杭州)信息技术有限公司 | Cross-border resource transfer authenticity auditing method and device and electronic equipment |
| CN114008657A (en) * | 2020-10-09 | 2022-02-01 | 支付宝(杭州)信息技术有限公司 | Managing a block chain based trusted transaction service |
| CN114008654A (en) | 2020-10-09 | 2022-02-01 | 支付宝(杭州)信息技术有限公司 | Managing a block chain based trusted transaction service |
| CN112395511A (en) * | 2020-11-04 | 2021-02-23 | 北京大学 | Rumor detection and evidence preservation system based on message propagation path in mobile application |
| CN112380574A (en) * | 2020-11-11 | 2021-02-19 | 杭州甘道智能科技有限公司 | Data chaining method based on block chain and SE chip |
| CN114679284A (en) * | 2020-12-24 | 2022-06-28 | 中国移动通信有限公司研究院 | Trusted remote attestation system, storage method, verification method and storage medium thereof |
| CN113221089B (en) * | 2021-03-15 | 2023-11-07 | 东北大学 | Privacy protection attribute authentication system and method based on verifiable statement |
| CN113098693B (en) * | 2021-04-08 | 2022-08-16 | 太原理工大学 | Memory verification method based on physical unclonable function algorithm |
| CN113159769B (en) * | 2021-04-21 | 2022-07-19 | 中国人民解放军国防科技大学 | Block chain-based data circulation intelligent contract implementation method and system |
| CN113326527A (en) * | 2021-06-24 | 2021-08-31 | 北京八分量信息科技有限公司 | Credible digital signature system and method based on block chain |
| CN113256427B (en) * | 2021-06-28 | 2021-09-14 | 北京航空航天大学 | Joint signature-based alliance block chain consensus method and system |
| CN113433918B (en) * | 2021-08-25 | 2021-11-16 | 江苏荣泽信息科技股份有限公司 | Enterprise electronic standing book energy consumption data acquisition system based on block chain |
| CN114117553B (en) * | 2022-01-28 | 2022-04-15 | 北京豪尔赛智慧城域科技有限公司 | Block chain-based control method and system for Internet of things terminal |
| CN115189863B (en) * | 2022-09-13 | 2023-05-05 | 图林科技(深圳)有限公司 | E-commerce transaction information management system based on block chain network architecture |
| CN116976891A (en) * | 2023-07-21 | 2023-10-31 | 杭州易景数通科技有限公司 | Financial data security management system, device and method thereof |
| CN117349897B (en) * | 2023-12-05 | 2024-03-26 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Block chain-based carbon quota transaction privacy protection method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103763315B (en) * | 2014-01-14 | 2016-12-07 | 北京航空航天大学 | A kind of trust data access control method being applied to mobile device cloud storage |
| CA2980002A1 (en) * | 2015-03-20 | 2016-09-29 | Rivetz Corp. | Automated attestation of device integrity using the block chain |
| US11829998B2 (en) * | 2016-06-07 | 2023-11-28 | Cornell University | Authenticated data feed for blockchains |
| US10796000B2 (en) * | 2016-06-11 | 2020-10-06 | Intel Corporation | Blockchain system with nucleobase sequencing as proof of work |
| CN106407481B (en) * | 2016-11-30 | 2019-12-03 | 福州微启迪物联科技有限公司 | Ecological environment supervising system and its implementation based on block chain framework |
| CN107274184A (en) * | 2017-05-11 | 2017-10-20 | 上海点融信息科技有限责任公司 | block chain data processing based on zero-knowledge proof |
| CN108270571B (en) * | 2017-12-08 | 2019-10-11 | 西安电子科技大学 | Internet of Things identity authorization system and its method based on block chain |
-
2018
- 2018-09-13 CN CN201811069639.XA patent/CN109325331B/en active Active
Non-Patent Citations (3)
| Title |
|---|
| A Blockchain Based Access Authentication Scheme of Energy Internet;Xiaolian Chen 等;《2018 2nd IEEE Conference on Energy Internet and Energy System Integration (EI2)》;20180312;第7654-7663页 * |
| 基于区块链的密钥更新和可信定位系统;李大伟 等;《密码学报》;20180228;第35-42页 * |
| 非可信环境下基于区块链的多级DR投标安全管理及技术支撑;李彬 等;《中国电机工程学报》;20180420;第2272-2283页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109325331A (en) | 2019-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109325331B (en) | Big data acquisition transaction system based on block chain and trusted computing platform | |
| US11842317B2 (en) | Blockchain-based authentication and authorization | |
| Bera et al. | Designing blockchain-based access control protocol in IoT-enabled smart-grid system | |
| CN109768988B (en) | Decentralized Internet of things security authentication system, equipment registration and identity authentication method | |
| Zhang et al. | Blockchain-assisted public-key encryption with keyword search against keyword guessing attacks for cloud storage | |
| Yang et al. | Provable data possession of resource-constrained mobile devices in cloud computing | |
| Cano et al. | Preserving data privacy in the internet of medical things using dual signature ECDSA | |
| JP2019507510A (en) | Common secret determination for secure exchange of information and hierarchical and deterministic encryption keys | |
| Hardjono et al. | Anonymous identities for permissioned blockchains | |
| CN110096894B (en) | Data anonymous sharing system and method based on block chain | |
| Azad et al. | M2m-rep: Reputation system for machines in the internet of things | |
| Luong et al. | Privacy-preserving blockchain-based healthcare system for IoT devices using zk-SNARK | |
| Yeh et al. | A robust mobile payment scheme with smart contract-based transaction repository | |
| Zhang et al. | BTNC: A blockchain based trusted network connection protocol in IoT | |
| Du et al. | Towards privacy-assured and lightweight on-chain auditing of decentralized storage | |
| CN111783136A (en) | Data protection method, device, equipment and storage medium | |
| Kumar et al. | Ultra-lightweight blockchain-enabled RFID authentication protocol for supply chain in the domain of 5G mobile edge computing | |
| US8954728B1 (en) | Generation of exfiltration-resilient cryptographic keys | |
| Wang et al. | Lightweight zero-knowledge authentication scheme for IoT embedded devices | |
| Khan et al. | Attack-resilient TLS certificate transparency | |
| CN113641975A (en) | Identity registration method, identity verification method, device and system | |
| Enkhtaivan et al. | Mediating data trustworthiness by using trusted hardware between iot devices and blockchain | |
| CN113326527A (en) | Credible digital signature system and method based on block chain | |
| Rivera et al. | Securing Digital Identity in the Zero Trust Architecture: A Blockchain Approach to Privacy-Focused Multi-Factor Authentication | |
| Ren et al. | BIA: A blockchain-based identity authorization mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |