CN110351381B - Block chain-based Internet of things trusted distributed data sharing method - Google Patents

Block chain-based Internet of things trusted distributed data sharing method Download PDF

Info

Publication number
CN110351381B
CN110351381B CN201910648241.XA CN201910648241A CN110351381B CN 110351381 B CN110351381 B CN 110351381B CN 201910648241 A CN201910648241 A CN 201910648241A CN 110351381 B CN110351381 B CN 110351381B
Authority
CN
China
Prior art keywords
user
network
data
information
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910648241.XA
Other languages
Chinese (zh)
Other versions
CN110351381A (en
Inventor
杨磊
王江干
邹宛蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN201910648241.XA priority Critical patent/CN110351381B/en
Publication of CN110351381A publication Critical patent/CN110351381A/en
Application granted granted Critical
Publication of CN110351381B publication Critical patent/CN110351381B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The invention discloses a block chain-based Internet of things trusted distributed data sharing method. Each device/user node is logically combined to form a double-layer overlay network, and a preselected edge gateway node with higher storage and calculation capacities is arranged in each subnet to serve as a supernode; the PSPN simultaneously forms a block chain layer, and safe and efficient decentralized distributed data sharing access control is realized by using an intelligent contract and combining on-chain storage and off-chain storage. The invention utilizes P2P technology to solve the problem of effective communication among different data source entities in the environment of industrial Internet of things on a system structure; the problem of the sharing efficiency of mass data in the scene of the Internet of things is solved; the method effectively solves the problems of decentralization and auditability of trusted data sharing, and reduces the operation and maintenance cost of the system.

Description

Block chain-based Internet of things trusted distributed data sharing method
Technical Field
The invention discloses a distributed data sharing method of the Internet of things based on a block chain, and particularly relates to the technical fields of block chains, cryptography, data authority management, distributed storage and the like.
Background
With the rapid development of internet technology, especially the coming of the 5G era, the interconnection and intellectualization of everything are the development trend in the future. The scale of the Internet of things is gradually enlarged, massive data are generated, and how to effectively share the data is achieved, so that the hidden value among different source data is excavated, and the method has great significance for intelligent transformation of the Internet of things. For example, a Wireless Sensor Network (WSN) in the internet of things collects data generated by various intelligent devices therein, and people can perform further joint analysis on the data to obtain potential value. However, data in the internet of things are often heterogeneous, real-time, and large-scale, and different WSNs are also isolated, which brings great difficulty to sharing of data information between devices.
For the current application of the internet of things, the main focus is data acquisition, transmission and storage, and the data sharing research is very little. The local application of the Internet of things is basically in a closed-loop mode, the acquired data only serve one single application, and sharing of the data is difficult to achieve, so that information islands are formed. The problem of the information closed loop is relieved to a certain extent due to the cloud storage, all data in the environment of the Internet of things are collected, transmitted and stored in the cloud, and a user can access resources of a cloud center anytime and anywhere and share the data with other people. However, the problems of data source dispersion, large data volume, data sensitivity, rapid expansion of the scale of the internet of things and the like of the internet of things all provide challenges for a centralized sharing model similar to cloud: 1) the cost problem is as follows: due to the large scale and the scattered data sources of the Internet of things, the establishment of a centralized sharing platform needs to pay great operation and maintenance cost; 2) safety problems are as follows: the centralized sharing model generally has a defect of single point of failure, and meanwhile, in the traditional cloud-centric method, although a trusted third-party auditor can be introduced to provide integrity guarantee for a user, the privacy of data cannot be guaranteed. 3) Efficiency and flexibility issues: in a centralized sharing model, we need to frequently interact with a sharing center, which results in inefficiency and no flexibility; if the center is a cloud server, network bandwidth is greatly wasted.
From the above point of view, there is a future need for a decentralized, trusted distributed approach to providing data storage and sharing services for this scenario. The method does not need to worry about the problem of single-node failure, and does not need to rely on a cloud service provider to transmit and store data completely. Based on the method, the invention provides a block chain-based distributed data sharing method for the Internet of things. The blockchain technology is introduced, and independent subnets are connected through a P2P form to construct a decentralized distributed structure. The device data is stored by a preselected edge gateway node (edge server) of the sub-network, and is a P2P distributed storage structure, rather than storing all data in the Internet of things environment in a centralized manner. Therefore, the problem that a sharing request is frequently sent to a certain center is avoided in the data sharing process, the efficiency and the flexibility of the system are improved, and the problem of single-point failure is effectively solved; a safe trust mechanism is constructed through an intelligent contract of a block chain technology, and the core problem of realizing trusted data sharing among all heterogeneous objects of the Internet of things is solved. Meanwhile, the automatic execution of the intelligent contract also reduces the system operation cost; by utilizing a distributed account book mechanism of the block chain, data access behaviors of different users are traced and audited, and the safety performance and efficiency of data sharing can be effectively improved.
Disclosure of Invention
The invention aims to provide a block chain-based trusted distributed data sharing method for the Internet of things, so that the defects of the prior art are overcome.
The technical scheme of the invention is that the system consists of a resource layer, a network layer, a block chain layer and an application layer from bottom to top;
the system comprises a bottom-up structure, a network layer, a block chain layer and an application layer;
the resource layer is composed of bottom layer devices/users, which are providers and users of data resources, wherein a part of the bottom layer devices/users form sub-networks, and the resource layer comprises at least two sub-networks;
the network layer is formed by combining all internet of things subnets, so that all equipment in the resource layer is covered; each sub-network has a pre-selected node (PSPN) with large storage and computation capacity inside, the PSPN is generally an edge gateway server, which stores data from the resource layer; the PSPN of the preselected node in each subnet is connected in the form of P2P, thus achieving the purpose of intercommunication among different subnets;
the block chain layer consists of pre-selected nodes PSPN in each sub network, and also comprises a device/user management module, a data management module, an authority management module and a network configuration module; the device/user management module, the data management module and the authority management module form an intelligent contract function.
The network layer and the blockchain layer also depend on a public key management service module, and the key management service module issues public and private keys for equipment/users registered in the subnet and the blockchain member node PSPN to realize public key encryption and private key signature.
The invention comprises the following protection methods:
the method comprises the following steps that bottom layer equipment of a resource layer forms at least two sub-networks, the sub-networks are combined with one another to form a network layer, a pre-selected node PSPN of an edge gateway with high storage and calculation capabilities is arranged inside each sub-network, and each pre-selected node PSPN forms a block chain layer; the block chain layer has an intelligent contract function, and the intelligent contract function comprises the following functions: device/user registration, device/user login and device/user management; requesting authorization, issuing authorization, verifying authorization and changing authorization; a distributed cache database inside a PSPN of a preselected node of each edge gateway of a block chain layer forms a data record pool, and the data record pool is used for storing equipment/user information, authorization information and an authority access rule table based on attributes; access control behaviors (for example, data of a certain sub-network is accessed by a certain device at a certain time) are recorded by a block chain layer in a block form (a plurality of pieces of access control behavior information are combined into one block) for local permanent storage, a plurality of blocks are linked to form a chain-shaped distributed account book, the account book exists in all PSPNs, and the updating of the account book needs to obtain common identification of all PSPNs to ensure that the account book in each PSPN is consistent; the application layer comprises a web service application, and all the corresponding module functions can be visualized through the web service application.
The modules of the invention comprise the following specific operation methods:
part 1) device/user management module: the corresponding functions are device/user registration, login and device/user information management, and the functions can be operated through a web interface of the application module. Firstly, the device/user selects a corresponding subnet for registration according to the data attribute generated by the device/user, a manager corresponding to the subnet checks registration information and confirms whether the device/user is allowed to register, once the device/user is successfully registered, the device/user belongs to a legal member of the subnet, and a data access request can be carried out after the device/user logs in. The device/user information (e.g., device/user ID, communication IP, attribute, registration time, registration network, public key, etc.) is stored in a distributed log pool in the blockchain network, which means that the log pool of all members of the blockchain network stores the device/user information. Of course only the subnet manager where the device/user is located can decide whether to remove the registered device/user.
Part 2) key management module: in the process of starting the block chain network, the key management module distributes a public and private key pair for each network node, and the device/user can obtain a pair of public and private keys during registration. The public keys of all nodes or devices/users are stored together with their information in a distributed record pool, i.e. the public keys are public, while the private keys are kept by the nodes or devices/users themselves and can be exported to the local.
Part 3) network configuration module: the sub-network internally contains registered devices/subscribers, which are producers and consumers of data, the data generated by the devices being stored on pre-selected nodes PSPN within the sub-network, which PSPN are member nodes of the blockchain network. All sub-networks form a logically-oriented overlay network, which can cover all devices/users of the resource layer. The device/user can directly send request to the preselection node, directly access the internal data of the subnet, and simultaneously access the data of other subnets through the preselection node, the whole access control process is defined by the intelligent contract of the block chain network, and can be automatically executed.
Part 4) data management module: the storage consists of two parts, one is a distributed log pool and the other is a local data store. The distributed record pool belongs to on-chain storage, and the local data storage is off-chain storage, namely, the data produced by the equipment is stored in the database corresponding to the pre-selected nodes of the sub-network. The combined storage mode of the chain uplink and downlink is beneficial to solving the problem that the block chain cannot store a large amount of data, and the system performance can be greatly improved. Finally, the data management module can respond to when there is device/user access to the data either off-link or on-link.
Part 5) a rights management module: the module mainly controls data access requests. When the device/user accesses the network data, the authority management module finds the attribute of the device/user added by the device/user in the registration stage by searching the distributed record pool, and meanwhile, the attribute is verified with the attribute of the destination network where the access data is located. If the attribute of the network is consistent with the attribute of the destination network, the network data is accessed, and the network data can be directly accessed, otherwise, the network data is accessed across the network. The module will look up the authorization information in the log pool, and if not, notify the device/user that it needs to initiate an authorization information request to the destination network. The destination network administrator can add authorization information to the destination network administrator through the authorization management module, and can close and delete the authorization information at the same time.
Part 6) application module: all the functions are visualized through the web interface of the application module.
The method has the advantages that the problem of effective communication among a plurality of isolated sub-networks in the environment of the industrial Internet of things and the key problem that objects in the Internet of things are difficult to trust are solved; a new distributed shared access management method is set, and the problem of low efficiency in a centralized sharing mode of the Internet of things can be solved; the proposed distributed storage sharing architecture solves the single point failure problem and the third party credibility problem; meanwhile, by deploying an intelligent contract of the block chain, the access control process is automatically executed, and the system operation cost is reduced; finally, the distributed account book records all interactive operations in the system and can not be changed, the operation records can be inquired at any time, and the safety of the system and the original data is further guaranteed.
Drawings
Fig. 1 is a system architecture diagram.
Fig. 2 is a system core structure diagram.
Fig. 3 is a diagram of the internal composition of a pre-selected node PSPN in the network layer.
Fig. 4 is an execution activity diagram of the system.
Detailed Description
The present invention will be described in further detail below in order to make the objects, contents and advantages of the present invention more apparent.
The embodiment of the invention is shown in fig. 1, and comprises a resource layer, a network layer, a block chain layer and an application layer from bottom to top;
the resource layer is composed of bottom layer devices/users, which are providers and users of data resources, wherein a part of the bottom layer devices/users form sub-networks, and the resource layer comprises at least two sub-networks;
the network layer is formed by combining all internet of things subnets, so that all equipment in the resource layer is covered; as shown in fig. 2, each sub-network of the resource layer has a pre-selected node (PSPN) with high storage and computation capabilities inside, and the PSPN is typically an edge gateway server that stores data from the resource layer; the PSPN of the preselected node in each subnet is connected in the form of P2P, thus achieving the purpose of intercommunication among different subnets;
the block chain layer consists of pre-selected nodes PSPN in each sub network, and also comprises a device/user management module, a data management module, an authority management module and a network configuration module; the device/user management module, the data management module and the authority management module form an intelligent contract function.
The network layer and the blockchain layer also depend on a public key management service module, and the key management service module issues public and private keys for devices/users registered in the subnet and the PSPN of preselected nodes of blockchain members, so that public key encryption and private key signature are realized.
The invention comprises the following protection methods:
the method comprises the following steps that bottom layer equipment of a resource layer forms at least two sub-networks, the sub-networks are combined with one another to form a network layer, a pre-selected node PSPN of an edge gateway with high storage and calculation capabilities is arranged inside each sub-network, and each pre-selected node PSPN forms a block chain layer; the block chain layer has an intelligent contract function, and the intelligent contract function comprises the following functions: device/user registration, device/user login and device/user management; requesting authorization, issuing authorization, verifying authorization and changing authorization; distributed cache databases inside the PSPN of the preselected gateway nodes of each edge network of the block chain layer form a data record pool, and the data record pool is used for storing equipment/user information, authorization information and an authority access rule table based on attributes; access control behaviors (for example, data of a certain sub-network is accessed by a certain device at a certain time) are recorded by a block chain layer in a block form (a plurality of pieces of access control behavior information are combined into one block) for local permanent storage, a plurality of blocks are linked to form a chain-shaped distributed account book, the account book exists in all PSPNs, and the updating of the account book needs to obtain common identification of all PSPNs to ensure that the account book in each PSPN is consistent; the application layer comprises a web service application, and all the corresponding module functions can be visualized through the web service application.
The modules of the invention comprise the following specific operation methods:
the first part device/user management module: the corresponding functions are device/user registration, login and device/user information management, and the functions can be operated through a web interface of the application module. Firstly, a device/user selects a corresponding subnet for registration according to data attributes generated by the device/user, a manager corresponding to the subnet checks registration information and confirms whether the device/user is allowed to register, once the device/user is successfully registered, the device/user belongs to a legal member of the subnet, and a data access request can be made after the device/user logs in, and the part is shown in a registration stage of fig. 4. In addition, the information of the device/user (such as device/user ID, communication IP, attribute, registration time, registration network, public key, etc.) is stored in the distributed record pool in the blockchain network, which means that the information of the device/user is stored in the record pools of all members of the blockchain network, and it can be ensured that the registration process is public. Of course only the subnet manager where the device/user is located can decide whether to remove the registered device/user.
A second partial key management module: in the process of starting the block chain network, the key management module distributes a public and private key pair for each network node, and the device/user can obtain a pair of public and private keys during registration. The public keys of all nodes or devices/users are stored together with their information in a distributed record pool, i.e. the public keys are public, while the private keys are kept by the nodes or devices/users themselves and can be exported to the local.
A third partial network configuration module: the sub-network internally contains registered devices/subscribers which are producers and consumers of data, and the data generated by the devices are stored on PSPNs inside the sub-network, which are member nodes of the blockchain network. All sub-networks form a logically-oriented overlay network, which can cover all devices/users of the resource layer. The device/user can directly send a request to the preselected node to directly access the internal data of the subnet, and can also access the data of other subnets through the preselected node, the whole access control process is defined by the intelligent contract of the block chain network and can be automatically executed, and the part is shown as the data access stage in the network and the data access stage across the network in fig. 4.
The fourth part data management module: the storage consists of two parts, one is a distributed log pool and the other is a local data store. The distributed record pool belongs to on-chain storage, and the local data storage is off-chain storage, namely, the data produced by the equipment is stored in the database corresponding to the pre-selected nodes of the sub-network. The combined storage mode of the chain uplink and downlink is beneficial to solving the problem that the block chain cannot store a large amount of data, and the system performance can be greatly improved. Finally, the data management module can respond to when there is device/user access to the data either off-link or on-link.
A fifth part of authority management module: the module mainly controls data access requests. When the device/user accesses the network data, the authority management module finds the attribute of the device/user added by the device/user in the registration stage by searching the distributed record pool, and meanwhile, the attribute is verified with the attribute of the destination network where the access data is located. If the attribute of the network is consistent with the attribute of the destination network, the network data is accessed, and the network data can be directly accessed, otherwise, the network data is accessed across the network. The module will look up the authorization information in the log pool, and if not, notify the device/user that it needs to initiate an authorization information request to the destination network. The destination network administrator can add authorization information to the destination network administrator through the authorization management module, and can close and delete the authorization information at the same time.
The sixth part of application modules: all the functions are visualized through the web interface of the application module.
With reference to fig. 4, the specific steps of the present invention are as follows:
step 01: and constructing a bottom-layer distributed network, adding PSPN (pre-selected edge gateway nodes) of different subnetworks into a block chain layer, wherein an operation user of the PSPN can be regarded as a manager of each independent subnetwork, and information of the PSPN can be added into a distributed recording pool after the network is started. Meanwhile, all the device/user sets in the resource layer are set to be null, that is, each sub-network currently has only PSPN, and the resource layer has no device/user node to join.
Step 02: starting a web application of an application layer, and opening a browser to access a webpage version system; first we can add devices to the resource layer and device administrators can register different devices into different sub-networks to store data generated by the devices in different PSPNs. Then, it is user registration, assuming that user 1 registers in sub-network 1 to acquire various device data; the device registration is the same as the user registration process, and the following steps take the user as an example.
Step 03: after logging in the system, the administrator of the sub-network 1 checks the registration information through the device/user management module, and once the registration request of the user 1 is checked, the basic information of the user 1 is stored in the distributed record pool in the block chain layer, and meanwhile, the basic operation information of the registration process is recorded in the form of blocks by the distributed book.
Step 04: the user 1 logs in, and jumps to a main page after the login is successful; at the master page, user 1 can derive its own private key, whose public key is automatically stored as user information in the distributed pool of records, said public and private key pair being automatically distributed by the key management module during the registration phase of the device.
Step 05: the user 1 who logs in successfully sends a request to the block chain layer through the PSPN of the pre-selected node of the subnet where the user is located, and can view public data information in the distributed record pool at any time, such as public key information of each PSPN.
Step 06: at the same time, the user 1 can inquire the data access authority of the user 1, and the user 1 can directly access the device data in the sub-network 1. According to the rule, after a user requests a certain subnet for registration and is checked to pass, the attribute which is the same as that of the subnet should be possessed, because the attribute is verified by a checker in the registration phase, if the attribute is inconsistent, the registration is unsuccessful; for example, assuming that the attribute of subnet 1 is Prodeputy, the attribute of user 1 is Prodeputy.
Step 07: user 1 sends a cross-subnet data request to subnet 2. When the request is carried out across the sub-networks, the attribute verification cannot pass, namely the attributes of the user 1 and the sub-network 2 are inconsistent, and the attribute authority rule table in the distributed record pool is not satisfied, so that the request cannot be directly accessed. At this time, the authority management module can perform authorization information verification, the user 1 is required to input an authorization information verification code, and if the authorization information verification code does not correspond to the authorization information verification code, the module can remind the user 1 to initiate an authorization request to a manager of the sub-network 2.
Step 08: in step 07, after the administrator of the sub-network 2 logs in the system, the administrator sees the authorization request information sent by the user 1, and the authorization request information includes the public key of the user 1. At this time, the manager can respond to the authorization request, accept or reject the authorization; once the manager accepts the request, an authorization message is added to the distributed record pool, and a six-digit verification code is automatically generated by the system. At this time, the rights management module automatically encrypts the verification code with the public key of the user 1 to obtain encrypted information, and encrypts the encrypted information with the private key of the administrator of the sub-network 2 to obtain signature information.
Step 09: after logging in the system, the user 1 receives the notification of successful authorization of the administrator of the subnet 2 in step 07, and also receives the encrypted information and the signature information sent by the system, and automatically verifies the signature information by using the public key in the distributed record pool, so as to ensure that the information is sent by the administrator of the subnet 2. Meanwhile, the user 1 introduces the private key of the user to decrypt the encrypted information, and finally obtains a six-digit verification code.
Step 10: when the user 1 receives the verification code sent in step 09, the verification code is input to match the authorization information in the distributed record pool. If the authorization information is successfully matched, the authority of accessing the data center url of the sub-network 2 is obtained, so that the purpose of cross-network access is achieved.
Step 11: when the user 1 passes the verification code authorization information verification, the data management module immediately responds to the request and generates a url address of the data center of the sub-network 2, and the user 1 can transfer or download the equipment data in the sub-network 2 when entering the url address.
Step 12: the subnet manager may delete devices/users registered within its own network or delete authorization information added to non-network users.
Step 13: in the system operation process, the registration of the user 1, the authorization of the user 1 and other operation information are recorded by the block chain layer in a block form to form a distributed account book, and the account book exists in all subnets, so that the transparency of operation records is ensured, and the safety of equipment data in the subnets in the access process is ensured.
Step 14: the distributed ledger, i.e. the block information, of the blockchain network is queried. Here, the ledger is formed by linking blocks by hash values, and the blocks are formed by operation information of the system. Any change of operation information in the block will result in a change of hash value, and the account book exists in all PSPNs, and if the change needs to be identified by all nodes, the account book can hardly be tampered. Through a web application, the account book can be inquired, and all system operation records are traceable and can not be changed.
In order to describe the block chain-based internet of things distributed data sharing and protecting method in more detail, two specific implementation cases are given below:
example one
The application background of the embodiment is the internet of things, four independent sub-networks are arranged under the background, a manager node of each sub-network forms a block chain network, firstly, a user 1 in the sub-network 1 needs to apply for registration to the sub-network 1, and after the manager of the sub-network 1 passes the verification, the user 1 can log in and directly access the data resource of the sub-network 1; then, the user 1 may continue to send an access request to the subnet 2 through the PSPN of the subnet 1, but the authorization verification is required, at this time, the user 1 sends an authorization request to the subnet 2, and after the administrator of the subnet 2 verifies the authorization request, the user 1 may obtain an authorization information verification code, and the data resource of the subnet 2 may be accessed through the verification code.
Example two:
between four departments of a certain company, managers of the four departments join a block chain layer, an employee 1 of the department 1 needs to request registration from the manager of the department 1, the file of the department can be directly accessed after the registration is successful, and if the employee 1 of the department 1 needs to access the file of the department 2, the manager of the department 2 needs to authorize through an intelligent contract of the block chain network.
The invention has the following gain effects:
the credibility problem is: the existing data sharing mode basically depends on a trusted third party, and the trusted mode of the third party is not easy to change. The distributed sharing method of the invention avoids the credibility problem of the third party, and the data is owned by the local network, so that the data of the producer is completely guaranteed.
Storage problem: the intelligent equipment of the industrial internet of things is resource-limited, has limited storage space and computing capacity, and cannot completely store and manage own data. The mode of pre-selecting the node PSPN is adopted in the subnet, the edge gateway server can be completely used as the PSPN to perform edge distributed storage on data without the need of centralized storage of a third-party cloud storage center, and meanwhile, the data access control of the block chain network also ensures the safety of data edge storage.
Safety and privacy problems: block chain technology and cryptography guarantee the security of data. The above two technologies are respectively contained in the network configuration module and the key management module. Meanwhile, the distributed account book produced by the block chain technology can be used for backtracking all operations in the network, such as device/user registration, user login, device/user management, data access request, request authorization, release authorization, change authorization and the like. These operations are recorded in the form of blocks, stored in all the members of the blockchain network, i.e. inside the pre-selected nodes PSPN of all the sub-networks. The objects for executing the operations and specific information such as time stamps can be searched at any time, and the integrity and the safety of the data are further guaranteed.
Networking transmission and trust problems: entities in the internet of things are often closed-loop and are difficult to communicate with each other in real time, and meanwhile, the entities are difficult to trust each other. The network configuration module connects the heterogeneous subnetworks in the form of P2P, and well solves the problems of networking transmission and trust in the environment of the Internet of things by defining an access mechanism between entities through an intelligent contract.
The user experience problem: the method is completely modularized, all corresponding functions are operated through the web application of the browser through one-key deployment of the script, the use is very convenient and fast for users, and the admission threshold is low.

Claims (3)

1. The credible distributed data sharing method of the Internet of things based on the block chain is characterized by comprising the following steps:
the system comprises a bottom-up structure, a network layer, a block chain layer and an application layer;
the resource layer is composed of bottom layer devices/users, which are providers and users of data resources, wherein a part of the bottom layer devices/users form sub-networks, and the resource layer comprises at least two sub-networks;
the network layer is formed by combining all internet of things subnets, so that all equipment in the resource layer is covered; each sub-network is internally provided with a pre-selected node PSPN with larger storage and calculation capacities, and the pre-selected node PSPN is an edge gateway server and stores data from a resource layer; the PSPN of the preselected node in each subnet is connected in the form of P2P, thus achieving the purpose of intercommunication among different subnets;
the block chain layer consists of pre-selected nodes PSPN in each sub network, and also comprises a device/user management module, a data management module, an authority management module and a network configuration module; the device/user management module, the data management module and the authority management module form an intelligent contract function;
the network layer and the blockchain layer also depend on a public key management service module, and the key management service module issues public and private keys for devices/users registered in the subnet and the pre-selected nodes PSPN of blockchain members to realize public key encryption and private key signature;
the method specifically comprises the following protection methods:
at least two subnets are formed by bottom layer equipment/users of a resource layer, each subnet is combined with each other to form a network layer, a pre-selected node PSPN of an edge gateway with high storage and calculation capacity is arranged in each subnet, and each pre-selected node PSPN forms a block chain layer; the block chain layer has an intelligent contract function, and the intelligent contract function comprises the following functions: device/user registration, device/user login and device/user management; requesting authorization, issuing authorization, verifying authorization and changing authorization; a distributed cache database inside a PSPN of a preselected node of each edge gateway of a block chain layer forms a data record pool, and the data record pool is used for storing equipment/user information, authorization information and an authority access rule table based on attributes; the access control behavior is recorded by a block chain layer in a block form for local permanent storage, a plurality of blocks are linked to form a chain-shaped distributed account book, the account book exists in all PSPN, and the updating of the account book needs to obtain the consensus of all the PSPN of the preselected nodes so as to ensure that the account book in each PSPN of the preselected nodes is consistent; the application layer comprises a web service application, and all the corresponding module functions can be visualized through the web service application.
2. The block chain based internet of things trusted distributed data sharing method according to claim 1, wherein each module comprises the following specific operation methods:
the first part device/user management module: corresponding functions are device/user registration, login and device/user information management, these functions can be operated through the web interface of the application module, first the device/user selects the corresponding subnet to register according to the data attribute generated by the device/user, the manager of the corresponding subnet reviews the registration information, confirms whether the device/user registration is permitted, and once the device/user registration is successful, the device/user belongs to the legal member of the sub-network, and can make data access request after logging in, the information of the device/user can be stored in the distributed record pool in the block chain network, the information of the equipment/user is stored in the record pools of all the members of the blockchain network, and only the subnet manager where the equipment/user is located can decide whether to remove the registered equipment/user;
a second partial key management module: in the process of just starting the block chain network, the key management module distributes a public and private key pair for each network node, the equipment/user also obtains a pair of public and private keys during registration, the public keys of all the nodes or the equipment/users and the information of the nodes or the equipment/users are stored in a distributed record pool together, namely the public keys are public, and the private keys are reserved by the nodes or the equipment/users and can be exported to the local;
a third partial network configuration module: the sub-networks internally contain registered devices/users which are producers and users of data, the data generated by the devices are stored on the pre-selected nodes PSPN in the sub-networks, and the pre-selected nodes PSPN are member nodes of the block chain network, and all the sub-networks form a logically-meaningful overlay network which can cover all the devices/users of the resource layer; the device/user can directly send a request to the preselected node to directly access the internal data of the subnet, and can also access the data of other subnets through the PSPN of the preselected node, and the whole access control process is defined by the intelligent contract of the block chain network and can be automatically executed;
the fourth part data management module: the storage is composed of two parts, one is distributed record pool and the other is local data storage, the distributed record pool belongs to on-chain storage, the local data storage is under-chain storage, namely, the data produced by the equipment is stored in the database corresponding to the preselected node of the subnet, the combined storage mode under the chain and the chain is helpful to solve the problem that the block chain can not store a large amount of data, the system performance can be greatly improved, and finally, when the equipment/user accesses the data under the chain or on the chain, the data management module can respond to the data;
a fifth part of authority management module: the module is used for controlling data access requests, when equipment/users access network data, the authority management module searches the distributed recording pool, the equipment/user information added by the equipment/users in the registration stage and finds the attributes of the equipment/users, meanwhile, the attributes of the equipment/users are verified with the attributes of a target network where the access data are located, if the attributes of the equipment/users are consistent with the attributes of the target network, the access data are the network data and can be directly accessed, otherwise, the access data are accessed in a cross-network mode; the module will find the authorization information in the record pool, if not, the device/user is informed of the need to initiate an authorization information request to the destination network, and the destination network administrator can add the authorization information to the device/user through the authorization management module, and can also close and delete the authorization information;
the sixth part of application modules: all the functions are visualized through the web interface of the application module.
3. The trusted distributed data sharing method of the internet of things based on the block chain as claimed in claim 1, comprising the following steps:
step 01: building a bottom-layer distributed network, adding pre-selected node PSPN of edge gateways of different subnetworks into a block chain layer, wherein an operation user of the pre-selected node PSPN can be regarded as a manager of each independent subnetwork, information of the operation user can be added into a distributed recording pool after the network is started, all equipment/user sets in a resource layer are set to be empty, namely, only the pre-selected node PSPN exists in each subnetwork at present, and no equipment/user node is added into the resource layer;
step 02: starting a web application of an application layer, and opening a browser to access a webpage version system; firstly, the device can be added to the resource layer, device administrators can register different devices into different sub-networks so as to store data generated by the devices into different pre-selected nodes PSPN, and then the user registers, and the user 1 registers into the sub-network 1 so as to obtain various device data; the device registration is the same as the user registration process;
step 03: a manager of the sub-network 1 logs in the system and then checks registration information through the device/user management module, once a registration request of the user 1 is checked, basic information of the user 1 is stored in a distributed recording pool in a block chain layer, and meanwhile, basic operation information of the registration process is recorded in a block form by a distributed book;
step 04: the user 1 logs in, and jumps to a main page after the login is successful; the user 1 can derive own private key on the main page, the public key of the user is automatically stored in a distributed record pool as user information, and the public and private key pair is automatically distributed by a key management module in the registration stage of the equipment;
step 05: the user 1 who logs in successfully sends a request to the block chain layer through the PSPN of the preselected node of the subnet where the user is located, and checks the public data information in the distributed record pool at any time, wherein the public data information comprises the public key information of each PSPN of the preselected node;
step 06: meanwhile, the user 1 can inquire the data access authority of the user 1, the user 1 can directly access the equipment data in the sub-network 1, and the user requests a certain sub-network to register and has the same attribute as the sub-network after the sub-network passes the verification according to the rule, because a verifier verifies the attribute in the registration phase, if the attribute is inconsistent, the registration is unsuccessful;
step 07: the user 1 sends a sub-network-crossing data request to the sub-network 2, and when the sub-network-crossing request is carried out, because the attribute verification cannot pass, namely the attributes of the user 1 and the sub-network 2 are inconsistent, the attribute authority rule table in the distributed recording pool is not satisfied, and the direct access cannot be carried out; at this time, the authority management module can carry out authorization information verification, the user 1 is required to input an authorization information verification code, and if the authorization information verification code does not correspond to the authorization information verification code, the module can remind the user 1 to initiate an authorization request to a manager of the sub-network 2;
step 08: step 07, after a manager of the sub-network 2 logs in a system, the manager sees authorization request information sent by the user 1, wherein the authorization request information contains a public key of the user 1; at this time, the manager can respond to the authorization request, accept or reject the authorization; once the manager receives the request, an authorization message is added into the distributed recording pool, and meanwhile, the system automatically generates a six-digit verification code; at this time, the authority management module automatically encrypts the verification code by using the public key of the user 1 to obtain encrypted information, and simultaneously encrypts the encrypted information by using the private key of the manager of the sub-network 2 to obtain signature information;
step 09: after logging in the system, the user 1 receives a notification that the authorization of the administrator of the subnet 2 is successful in the step 07, receives the encrypted information and the signature information sent by the system, automatically verifies the signature information by using a public key in the distributed recording pool, ensures that the information is sent by the administrator of the subnet 2, simultaneously, introduces the private key of the user 1 to decrypt the encrypted information, and finally obtains a six-digit verification code;
step 10: after the user 1 takes the verification code sent by the step 09, the verification code is input to match the authorization information in the distributed recording pool, and if the authorization information is successfully matched, the user can obtain the authority of accessing the url of the data center of the sub-network 2, so that the purpose of cross-network access is achieved;
step 11: when the user 1 passes the verification code authorization information verification, the data management module immediately responds to the request and generates a url address of the data center of the sub-network 2, and the user 1 can transfer or download the equipment data in the sub-network 2 when entering the url address;
step 12: the subnet manager can delete the registered equipment/user in the network or delete the authorization information added to the non-network user;
step 13: in the system operation process, the registration of the user 1 and the authorized operation information of the user 1 are recorded by the block chain layer in a block form to form a distributed account book, and the account book exists in all the subnets, so that the transparency of the operation record is ensured, and the safety of the equipment data in the subnets in the access process is ensured;
step 14: inquiring a distributed account book of a block chain network, namely block information, wherein the account book is formed by linking blocks together through a hash value, the blocks are formed by operation information of a system, the change of any operation information in the blocks can cause the change of the hash value, and the account book exists in all pre-selected nodes PSPN, and if the change is required, the common identification of all network nodes is required; through web application, the account book is inquired, all system operation records are traceable, and the account book is not changeable.
CN201910648241.XA 2019-07-18 2019-07-18 Block chain-based Internet of things trusted distributed data sharing method Active CN110351381B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910648241.XA CN110351381B (en) 2019-07-18 2019-07-18 Block chain-based Internet of things trusted distributed data sharing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910648241.XA CN110351381B (en) 2019-07-18 2019-07-18 Block chain-based Internet of things trusted distributed data sharing method

Publications (2)

Publication Number Publication Date
CN110351381A CN110351381A (en) 2019-10-18
CN110351381B true CN110351381B (en) 2020-10-02

Family

ID=68174969

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910648241.XA Active CN110351381B (en) 2019-07-18 2019-07-18 Block chain-based Internet of things trusted distributed data sharing method

Country Status (1)

Country Link
CN (1) CN110351381B (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113506110A (en) * 2019-10-28 2021-10-15 腾讯科技(深圳)有限公司 Data processing method and equipment
CN111212023A (en) * 2019-10-30 2020-05-29 浙江中控自动化仪表有限公司 Remote inter-station data communication method based on edge computing gateway
CN110933046A (en) * 2019-11-08 2020-03-27 北京博华信智科技股份有限公司 Credible industrial communication system and method based on block chain
CN110826103B (en) * 2019-11-13 2023-07-21 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for processing document authority based on blockchain
CN111079161A (en) * 2019-12-12 2020-04-28 山西云海智化大数据科技有限公司 Trusted data exchange method based on block chain technology
CN110933187B (en) * 2019-12-25 2022-06-17 成都康胜思科技有限公司 Internet of things data transmission system based on block chain consensus encryption mechanism
CN113315740B (en) * 2020-02-27 2022-05-17 东北大学秦皇岛分校 Data integrity audit protocol based on super account book
CN111611619B (en) * 2020-05-26 2024-02-02 牛津(海南)区块链研究院有限公司 Alliance chain-based tracing method, device, equipment and readable storage medium
CN111885157B (en) * 2020-07-22 2022-04-01 中国联合网络通信集团有限公司 Internet of things inter-network device communication method and system and edge node
CN112199649B (en) * 2020-09-28 2021-06-18 扬州大学 Anonymous identity verification method under moving edge calculation based on block chain
CN112491868B (en) * 2020-11-25 2022-07-08 上海电科智能系统股份有限公司 Safe, credible and intelligent device authority management method based on block chain
CN112688927B (en) * 2020-12-18 2022-06-24 重庆大学 Block chain-based distributed access control method
CN112261155B (en) * 2020-12-21 2021-03-16 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Internet of things access control method with dynamic consensus based on block chains of alliances
CN112631777B (en) * 2020-12-26 2023-12-15 扬州大学 Searching and resource allocation method based on block chain and edge calculation
CN112924921A (en) * 2021-01-21 2021-06-08 国网河北省电力有限公司信息通信分公司 Credible collection mechanism of smart electric meter quality data based on block chain
CN113010922B (en) * 2021-02-28 2022-07-01 昆明理工大学 Tamper-proof energy industry internet multi-edge chain data sharing method
CN113572810A (en) * 2021-06-09 2021-10-29 北京邮电大学 Method for designing and realizing private multi-account book block chain system for Internet of things
CN113676498B (en) * 2021-10-25 2022-02-11 江苏荣泽信息科技股份有限公司 Prediction machine management system for accessing third-party information based on distributed network technology
CN114501440B (en) * 2022-01-04 2024-02-09 中国人民武装警察部队工程大学 Authentication key protocol for block chain application at edge of wireless sensor network
CN114465730A (en) * 2022-01-10 2022-05-10 浙商银行股份有限公司 Internet of things equipment mutual authentication method and device based on block chain technology
CN116806038A (en) * 2023-08-18 2023-09-26 上海临滴科技有限公司 Decentralizing computer data sharing method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109508991A (en) * 2018-10-16 2019-03-22 深圳市圆世科技有限责任公司 A kind of edge collaboration method based on block chain

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI653864B (en) * 2017-11-21 2019-03-11 國立交通大學 High security blockchain data transmission method
CN108810073B (en) * 2018-04-05 2021-05-04 西安电子科技大学 Block chain-based Internet of things multi-domain access control system and method
CN108683705B (en) * 2018-04-10 2021-03-16 北京工业大学 Internet of things data sharing method based on block chain
CN109492380B (en) * 2019-01-11 2021-04-02 四川虹微技术有限公司 Equipment authentication method and device and block link point
CN109743406A (en) * 2019-02-26 2019-05-10 北京工业大学 A kind of Internet of Things trust data service model based on block chain

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109508991A (en) * 2018-10-16 2019-03-22 深圳市圆世科技有限责任公司 A kind of edge collaboration method based on block chain

Also Published As

Publication number Publication date
CN110351381A (en) 2019-10-18

Similar Documents

Publication Publication Date Title
CN110351381B (en) Block chain-based Internet of things trusted distributed data sharing method
US11770296B2 (en) Decentralized data storage and processing for IoT devices
Shi et al. A blockchain-empowered AAA scheme in the large-scale HetNet
CN111488595B (en) Method for realizing authority control and related equipment
Razouk et al. A new security middleware architecture based on fog computing and cloud to support IoT constrained devices
Daza et al. CONNECT: CONtextual NamE disCovery for blockchain-based services in the IoT
CN109919771B (en) Industrial internet transaction device applying hierarchical block chain technology
Chen et al. BIdM: A blockchain-enabled cross-domain identity management system
Shen et al. Data management for future wireless networks: Architecture, privacy preservation, and regulation
CN105247529A (en) Synchronizing credential hashes between directory services
WO2021150799A1 (en) Interaction control list determination and device adjacency and relative topography
CN103973785A (en) Log reading system based on P2P and method thereof
CN103957174A (en) Method for semantic switch loose coupling system to process information
Mendki Securing cloud native applications using blockchain
CN103533094A (en) Identification code all-in-one machine and identification code system
CN110428215B (en) Intelligent robot data information mutual interaction safe and reliable transmission handling method and system
CN106411905A (en) Method for implementing distributed architecture through soft routing
Zhu et al. MicrothingsChain: Blockchain-based controlled data sharing platform in multi-domain IoT
Raman et al. Blockchain technology for privacy and security issues and challenges in IOT-based systems
Tourani et al. Distributed data-gathering and-processing in smart cities: An information-centric approach
Labbi et al. Blockchain-Based Trust and Security in Content-Centric Networking‒Based Internet of Things
US11943211B2 (en) Device monitoring in accessing network
Albakri Blockchain and the Internet of Things: Opportunities and Challenges
Roman et al. Advanced secure multimedia services for digital homes
Khapre et al. Blockchain Based Access Control System for Internet of Things Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant