CN110677407B - Safety control method of lightweight block chain platform - Google Patents
Safety control method of lightweight block chain platform Download PDFInfo
- Publication number
- CN110677407B CN110677407B CN201910919048.5A CN201910919048A CN110677407B CN 110677407 B CN110677407 B CN 110677407B CN 201910919048 A CN201910919048 A CN 201910919048A CN 110677407 B CN110677407 B CN 110677407B
- Authority
- CN
- China
- Prior art keywords
- data
- provider
- requester
- micro
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a safety control method for a lightweight block chain platform, which comprises the following steps: the security management module judges whether the identities of a requester and a provider of the access request are legal or not through the intelligent contract; if the judgment result shows that the identities of the requester and the provider of the access request are both legal, the security management module judges whether the requester has the authority to access the provider according to the intelligent contract and the access control rule list; and if the judgment result is yes, the safety management module allows the requester to access the provider. The safety control method of the lightweight block chain platform provided by the embodiment of the invention is based on the technologies of data access control, dynamic audit analysis, evidence storage chain, data transmission audit and the like of multiple safety strategies, a complete platform endogenous safety mechanism is established for the terminal, and the safety of data and service is comprehensively guaranteed in the aspects of data safety access, data right and supervision, data transmission, data interaction, data service and the like.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a safety control method of a lightweight block chain platform.
Background
Under some specific security and supervision application scenes, an intelligent mobile terminal is required to be used as a block chain node to form a lightweight block chain platform. Under complex environments, the safety of business data has a crucial influence on processing results.
The intelligent mobile terminal is used as a field device for directly executing data acquisition, processing, transmission and calculation, has the characteristics of limited resources, unstable network connection, easy interference and the like, and an intrinsic safety mechanism is a foundation for ensuring the safety of terminal data and service.
The existing lightweight block chain platform has defects in safety control, and data and service safety is difficult to guarantee.
Disclosure of Invention
The embodiment of the invention provides a safety control method for a lightweight block chain platform, which is used for overcoming or at least partially overcoming the defect of insufficient safety of data and service in the prior art.
The embodiment of the invention provides a safety control method for a lightweight block chain platform, which comprises the following steps:
the security management module judges whether the identities of a requester and a provider of the access request are legal or not through the intelligent contract;
if the judgment result shows that the identities of the requester and the provider of the access request are both legal, the security management module judges whether the requester has the authority to access the provider according to the intelligent contract and the access control rule list;
and if the judgment result is yes, the safety management module allows the requester to access the provider.
Preferably, before the security management module determines whether the identities of the requester and the provider of the access request are legal through the intelligent contract, the method further includes:
and recording the security attribute identification of the requester through a distributed data storage device and a hardware private key storage device.
Preferably, before the security management module determines whether the identities of the requester and the provider of the access request are legal through the intelligent contract, the method further includes:
and registering the security attribute identification of each datum based on the certificate storing chain.
Preferably, before the security management module determines whether the identities of the requester and the provider of the access request are legal through the intelligent contract, the method further includes:
and registering the safety attribute identification of each micro service based on the micro service framework.
Preferably, after the security management module allows the requester to access the provider, the method further includes:
the request direction dynamic audit analysis device sends a micro-service request;
and the dynamic audit analysis device carries out full-life-cycle monitoring and audit on the micro-service requested by the micro-service request.
Preferably, the dynamic audit analysis device comprises a requester dynamic audit module, a provider dynamic audit module and an on-chain audit analysis module;
correspondingly, the specific step of sending the microservice request to the dynamic audit analysis device by the request direction includes:
the requester dynamic auditing module carries out compliance check on the micro-service request;
if the check is passed, the requester dynamic audit module stores a requester log and sends the micro-service request to the provider dynamic audit module;
the specific steps of the dynamic audit analysis device for carrying out full life cycle monitoring and auditing on the micro-service requested by the micro-service request comprise:
the requester dynamic auditing module sends the requester log to the on-chain auditing analysis module;
the provider dynamic audit module carries out compliance check on the microservice request;
if the check is passed, the provider dynamic audit module stores a provider log and sends the micro service request to a micro service module of the provider;
the provider dynamic audit module sends the provider log to the on-chain audit analysis module;
and the dynamic audit analysis device monitors and audits the micro service requested by the micro service request in a full life cycle according to the requester log and the provider log.
Preferably, the specific step of updating the chain of certificates includes:
and for data generated by any intelligent mobile terminal, the intelligent mobile terminal adds the security attribute identifier of the generated data to the evidence storing chain.
Preferably, for data generated by any intelligent mobile terminal, the specific step of adding, by any intelligent mobile terminal, the security attribute identifier of the generated data to the deposit chain includes:
acquiring a hash value of the generated data, and using the hash value of the generated data as a security attribute identifier of the generated data;
and the any intelligent mobile terminal adds the generated security attribute identifier of the data to the certificate storing chain.
Preferably, for the data generated by any intelligent mobile terminal, after the any intelligent mobile terminal adds the security attribute identifier of the generated data to the chain of deposit certificates, the method further includes:
any intelligent mobile terminal sends a consensus request to a block chain network;
each node in the block chain network receives the consensus request and performs consensus on the generated security attribute identification of the data;
and each node in the block chain network records the security attribute identification of the generated data.
Preferably, before the step of adding the security attribute identifier of the generated data to the chain of certificates for storage, the step of adding the security attribute identifier of the generated data to the chain of certificates for storage by any intelligent mobile terminal further includes:
and performing data transmission audit on the generated security attribute identification of the data.
According to the safety control method of the lightweight block chain platform, provided by the embodiment of the invention, a complete platform endogenous safety mechanism is established for the intelligent mobile terminal through technologies such as data access control, dynamic audit analysis, evidence storage chain and data transmission audit based on multiple safety strategies, the safety of data and service is comprehensively ensured in the aspects of data safety access, data right and supervision, data transmission, data interaction, data service and the like, and the safety of the lightweight block chain platform can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a safety control method for a lightweight blockchain platform according to an embodiment of the present invention;
fig. 2 is an interaction diagram of a dynamic audit analysis step in a security control method of a lightweight blockchain platform according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a verification chain in a security control method for a lightweight blockchain platform according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the above problems in the prior art, an embodiment of the present invention provides a security control method for a lightweight blockchain platform, and the inventive concept is to construct a distributed trust and security foundation by researching lightweight blockchain nodes, and to implement a data security access control technology based on multiple security policies by researching an integrated design technology of an internal security mechanism of an intelligent mobile terminal and integrating multiple factors such as communication, security, confidentiality, and the like, so as to ensure the security of data domain services of the intelligent terminal.
Fig. 1 is a schematic flow chart of a safety control method for a lightweight blockchain platform according to an embodiment of the present invention. As shown in fig. 1, the method includes: and S101, the security management module judges whether the identities of a requester and a provider of the access request are legal or not through the intelligent contract.
The safety control method provided by the embodiment of the invention is suitable for a lightweight block chain platform. The lightweight block chain platform refers to a block chain platform with each block chain node as an intelligent mobile terminal.
The embodiment of the invention adopts a data access control method based on multiple security policies, and relates to the identification, recognition and dynamic adjustment of the identity of a subject, the registration and recording of objects and security attributes thereof, and the confirmation and execution of security access control rules between the subject and the objects.
And the main body refers to a requester of the access request and is an intelligent mobile terminal.
The object refers to the object requested by the access request, and comprises data and microservices. The provider of the access request refers to an intelligent mobile terminal for storing data requested by the access request or providing micro-service requested by the access request.
It should be noted that the security attribute identifier of the main body is predefined, and the recording of the security attribute identifier of each main body is completed through the distributed data storage module and the hardware private key storage device.
Security attribute identification of the subject for representing the security attribute of the subject
The security management module can identify the identity of the requester of the access request through the intelligent contract and judge whether the identity of the requester of the access request is legal or not according to the recorded security attribute identification of each main body.
If the access request is legal, executing a step of judging whether the identity of the requester of the access request is legal or not; and if the access request is illegal, the requester of the access request is not allowed to access the provider.
It should be noted that, the security attribute identifier of an object (data or service) is defined in advance, and the record of the security attribute identifier of each object on the chain is completed through data storage and micro-service registration.
The security management module can identify the identity of the provider of the access request through the intelligent contract, and judge whether the identity of the provider of the access request is legal or not according to the recorded security attribute identification of each object.
If the code is legal, executing the step S102; and if the access request is illegal, the requester of the access request is not allowed to access the provider.
And S102, if the judgment result shows that the identities of the requester and the provider of the access request are both legal, the security management module judges whether the requester has the authority of accessing the provider according to the intelligent contract and the access control rule list.
It should be noted that, an access control rule list is defined on the distributed data storage module in advance, and the access right of each subject to each object is specified.
The security management module can execute the access control rule in the access control rule list through the intelligent contract, and judge whether the access of the requester to the object requested by the access request conforms to the access control rule, so that whether the requester has the access right to the object requested by the access request can be judged.
And step S103, if the judgment result is yes, the safety management module allows the requester to access the provider.
Specifically, if the requester has an access right to the object requested by the access request, the authorization of the subject to the object access is completed through the signature endorsement of each block chain node, so that the security access control is realized.
According to the embodiment of the invention, through data access control based on multiple security policies, the security of data and services can be ensured in the aspects of data security access, data interaction and the like, and the security of a lightweight block chain platform can be improved.
Based on the content of the foregoing embodiments, before the security management module determines whether the identities of the requester and the provider of the access request are legal according to the intelligent contract, the method further includes: and recording the security attribute identification of the requester through the distributed data storage device and the hardware private key storage equipment.
In particular, the identity information may be defined as a security attribute identification of the principal.
And the identity certification of the main body is finished by adopting hardware private key storage equipment. The hardware private key can uniquely confirm the identity of the main body, and meanwhile, the private key is stored in safe hardware, so that the private key can be ensured not to flow out in plain, and attack and detection can be effectively resisted.
The identification of the identity of the subject is accomplished using a keychain in conjunction with a CA (Certificate Authority) whitelist.
And the key chain is used for node management of the whole blockchain network, and comprises node registration, joining and exiting of the blockchain network. The key chain is a block chain.
And the CA white list is used for carrying out identity identification on the predetermined block nodes and supporting functions of block node addition, service registration, equipment communication and the like.
And (3) dynamically adjusting the identity of the main body by adopting a distributed identity identification technology, namely adding and removing the centralized block nodes in real time. When the existing node in the block chain network is found to be invalid, a single node can initiate declaration of the identity invalidation of the specific node, and if sufficient signature endorsements of other nodes are collected by the invalidation declaration, the node is removed from the block chain network.
According to the embodiment of the invention, the security attribute identifier of the main body is recorded and identified through the distributed data storage device and the hardware private key storage equipment, so that the security attribute identifier of the main body is not easy to be tampered and revealed, and the security of the lightweight block chain platform can be improved.
Based on the content of the foregoing embodiments, before the security management module determines whether the identities of the requester and the provider of the access request are legal according to the intelligent contract, the method further includes: and registering the security attribute identification of each datum based on the certificate storing chain.
Specifically, if the object is data, the content and the security level of the data may be defined as a security attribute identifier, and the registration and the identification of the content and the security level of the data are completed through a chain of certificates.
And the certificate storing chain is used for storing the certificate on the data information in a real-time chain. The evidence storing chain is a block chain.
The embodiment of the invention registers the security attribute identification of each data based on the certificate storing chain, can realize the certificate storing of the data through the technical characteristics of a block chain common identification mechanism, no tampering, security, transparency and the like, and provides a credible data source for the subsequent data carding, summarizing and analyzing.
Based on the content of the foregoing embodiments, before the security management module determines whether the identities of the requester and the provider of the access request are legal according to the intelligent contract, the method further includes: and registering the safety attribute identification of each micro service based on the micro service framework.
Specifically, if the object is a micro service, the information of the micro service can be defined as a security attribute identifier, an efficient, lightweight and tailorable micro service framework is constructed by using the block chain nodes in combination with the requirements of low power consumption and light weight of the intelligent mobile terminal, and corresponding micro service registration and discovery are realized based on the micro service framework.
In the micro-service framework, registration and discovery of micro-services are realized by a micro-service registration chain which is commonly maintained on the basis that providers of the micro-services serve as block chain nodes. The microservice registration chain is a block chain. And the provider of the micro service is an intelligent mobile terminal. And the micro-service framework comprises a software layer and a hardware layer, wherein the software layer comprises all micro-services, and the hardware layer comprises a micro-service gateway and all intelligent mobile terminals.
The embodiment of the invention registers and discovers the safety attribute identification of each micro service based on the micro service framework, and can improve the safety of the lightweight block chain platform.
Based on the content of the foregoing embodiments, after the security management module allows the requester to access the provider, the method further includes: and the request side sends a micro-service request to the dynamic audit analysis device.
It should be noted that, in order to enhance the security of the data and the service of the intelligent terminal in the actual application scenario, the lightweight block chain platform may further include a dynamic audit analysis device based on the block chain.
And when the access request is a calling request of the micro-service, an application layer on the intelligent mobile terminal of the requester sends the calling request of the micro-service through the security management module. Specifically, a request for calling the micro service is sent to a micro service management submodule included in the security management module.
The micro-service management submodule carries out safety access control detection through the micro-service registration chain, specifically, a verification request is sent to the micro-service registration chain, the micro-service registration chain verifies whether the calling request meets a safety access control rule, and corresponding approval information is sent to the micro-service management submodule to realize access control.
The micro service registration chain is stored with the authority of all subjects, the authority of all registered objects and the matching relation of the two, and automatically executes the security access control rule through an intelligent contract. The specific steps for implementing the access control are detailed in the foregoing embodiments, and are not described herein again.
And the micro-service management submodule returns the approval information to an application layer on the intelligent mobile terminal of the requester.
And if the approval information is access permission, namely after the security management module permits the requester to access the provider, the requester sends a micro-service request to the dynamic audit analysis device.
And the dynamic audit analysis device is used for monitoring and auditing the whole life cycle of each micro service.
And the dynamic audit analysis device carries out full life cycle monitoring and audit on the micro-service requested by the micro-service request.
Specifically, after the call request of the microservice is started, the dynamic audit analysis device performs full-life-cycle monitoring and audit on the microservice requested by the microservice request.
The micro-service is monitored and audited in a full life cycle, and a common method for monitoring and auditing the service can be adopted, which is not particularly limited in the embodiment of the invention.
According to the embodiment of the invention, through carrying out full-life-cycle monitoring and auditing on the micro-service, the relevant evidence for responsibility tracking can be obtained through an auditing management support means, effective authority control on sensitive data, execution service and results thereof can be realized, and the safety of a lightweight block chain platform can be improved. In addition, a lightweight secure communication protocol can be provided, under the condition of resource limitation, secure and trusted interaction of data and services between terminals can be realized, and the security of a lightweight block chain platform is further improved.
Fig. 2 is an interaction diagram of a dynamic audit analysis step in a security control method for a lightweight blockchain platform according to an embodiment of the present invention. Based on the content of the foregoing embodiments, as shown in fig. 2, the dynamic audit analysis apparatus includes a requester dynamic audit module, a provider dynamic audit module, and an on-chain audit analysis module.
The dynamic audit analysis device comprises a requester dynamic audit module, a provider dynamic audit module and an on-chain audit analysis module.
Each intelligent mobile terminal in the lightweight blockchain platform comprises a dynamic audit module. If the intelligent mobile terminal is a requester, the dynamic audit module in the intelligent mobile terminal is a requester dynamic audit module; and if the intelligent mobile terminal is a provider, the dynamic audit module in the intelligent mobile terminal is the provider dynamic audit module.
And the dynamic audit module is used for reporting the micro-service request, the call and the used condition on the intelligent mobile terminal to the on-chain audit analysis module.
And the chain audit analysis module is independent of each intelligent mobile terminal and is in communication connection with each dynamic audit module.
Correspondingly, the specific steps of sending the micro-service request to the dynamic audit analysis device by the request side include: the dynamic auditing module of the requester performs compliance check on the micro-service request; and if the check is passed, the requester dynamic audit module stores the requester log and sends the micro-service request to the provider dynamic audit module.
Specifically, if the approval result is that access is allowed, that is, the micro-service management sub-module agrees with the micro-service request, the requester performs compliance check on the micro-service request through the requester dynamic audit module.
And if the check is not passed, the micro-service request is not sent to the dynamic audit module of the provider.
If the check is passed, recording the request condition of the micro service on the requester as a requester log and storing the log; and after the log is kept, forwarding the micro-service request to a dynamic audit module of a provider.
It should be noted that, before the requester performs compliance check on the microservice request through the requester dynamic audit module, the microservice management sub-module reports the approval information to the chain audit analysis module.
The method comprises the following specific steps of carrying out full-life-cycle monitoring and auditing on the micro-service requested by the micro-service request by the dynamic audit analysis device: and the requester dynamic audit module sends the requester log to the chain audit analysis module.
Specifically, after log retention is performed by the requester dynamic audit module, the requester log is reported to the chain audit analysis module.
The provider dynamic audit module carries out compliance check on the micro service request; and if the check is passed, the provider dynamic audit module stores a provider log and sends the micro-service request to the micro-service module of the provider.
Specifically, the provider performs compliance check on the received micro-service request through the provider dynamic audit module.
And if the check is not passed, not sending the micro-service request to the micro-service module of the provider. And the micro-service module is used for providing the micro-service.
If the check is passed, recording the calling and the used condition of the micro service on the provider as a provider log and storing the provider log; and after the log is kept, forwarding the micro-service request to a micro-service module of a provider.
And the micro-service module of the provider provides the micro-service requested by the micro-service request to the outside according to the micro-service request.
And the provider dynamic audit module sends the provider log to the on-chain audit analysis module.
Specifically, after the log is retained by the dynamic provider audit module, the provider log is reported to the on-chain audit analysis module.
And the dynamic audit analysis device monitors and audits the micro service requested by the micro service request in a full life cycle according to the log of the requester and the log of the provider.
Specifically, the dynamic audit analysis device can monitor, audit and analyze the request, call and used conditions of the microservice according to a requester log and a provider log, so as to realize the full life cycle monitoring and audit of the microservice.
According to the embodiment of the invention, through carrying out full-life-cycle monitoring and auditing on the micro-service, the relevant evidence for responsibility tracking can be obtained through an auditing management support means, effective authority control on sensitive data, execution service and results thereof can be realized, and the safety of a lightweight block chain platform can be improved.
Fig. 3 is a schematic diagram of a verification chain in a security control method for a lightweight blockchain platform according to an embodiment of the present invention. Based on the content of the foregoing embodiments, as shown in fig. 3, the specific step of updating the certificate chain includes: and for the data generated by any intelligent mobile terminal, any intelligent mobile terminal adds the security attribute identifier of the generated data to the evidence storing chain.
It should be noted that in a complex practical application environment, information interaction between the intelligent mobile terminals is frequent, and for requirements of information security, data confidentiality, data storage and post summary in the scene, data storage can be performed based on technical characteristics of a block chain consensus mechanism, non-falsification, safety, transparency and the like.
Specifically, for data generated by any intelligent mobile terminal, a security attribute identifier of the data can be generated, and the intelligent mobile terminal can link the security attribute identifier of the data to a certificate storage chain based on a block chain technology, so that the certificate storage on a real-time chain of data information in an actual environment is realized.
The data generated by the intelligent mobile terminal is evidence storage data.
As a bottom layer supporting environment for information storage, a block chain system needs to have the characteristics of high concurrency, non-tampering, data security and privacy and the like so as to meet the requirements of timely storage of real-time complex data and subsequent data verification and analysis.
According to the embodiment of the invention, the on-chain evidence storage is carried out on the data information through the evidence storage chain, a credible data source can be provided for the subsequent data carding, summarizing and analysis, and the safety of the lightweight block chain platform can be improved.
Based on the content of the above embodiments, for data generated by any intelligent mobile terminal, the specific step of adding the security attribute identifier of the generated data to the certificate chain by any intelligent mobile terminal includes: and acquiring the hash value of the generated data, and using the hash value of the generated data as the security attribute identification of the generated data.
Specifically, the updating of the chain of certificates mainly includes several steps of data production, data hashing, data chaining, data consensus and data verification.
The data production steps include: and according to the service requirement, real-time data production is carried out, data are generated in the intelligent mobile terminal, and local storage is completed. The data generated by this step may include various types of audio, video, pictures, text, and so on.
The data hashing step comprises the following steps: and after the data production is finished, data hash calculation is finished locally, and the hash value obtained by calculation is used as the security attribute identification of the data.
Note that the data itself is not information stored in the chain, but a chain credit operation is performed on the hash value of the data. The hash value of the data is in one-to-one correspondence with the data file.
And any intelligent mobile terminal adds the generated security attribute identifier of the data into the evidence storing chain.
The data uplink step comprises: after the data hash calculation is completed, the local block link node completes the uplink operation on the hash value of the data.
And generating a digital fingerprint according to the hash value of the data, and generating a block of the uplink by combining the evidence storage time.
According to the embodiment of the invention, the hash value of the data is added into the certificate storage chain for certificate storage, and the credibility of the certificate storage can be ensured through the corresponding relation between the hash value and the meaning of the data, so that a credible data source can be provided for subsequent data carding, summarizing and analysis, and the safety of the lightweight block chain platform can be improved.
Based on the content of the foregoing embodiments, for data generated by any intelligent mobile terminal, after any intelligent mobile terminal adds the security attribute identifier of the generated data to the chain of deposit certificates, the method further includes: any intelligent mobile terminal sends a consensus request to the blockchain network.
Specifically, the data uplink step further includes: after the local blockchain node chains the hash value of the data, a consensus request is sent to the blockchain network.
And each node in the block chain network receives the consensus request and performs consensus on the generated security attribute identification of the data.
The data consensus step comprises the following steps: each node in the block chain network receives the consensus request and confirms and endorses the uplink data.
And recording the security attribute identification of the generated data by each node in the block chain network.
Specifically, after the consensus process is completed, each node in the block chain network uniformly records the hash value of the data, so as to update the copy of the certificate chain.
It should be noted that, after the field service executed by the lightweight blockchain platform is finished, each node in the blockchain network stores various information data and the flow records of the information. By extracting and comparing the file and the information on the chain, the verification, the combing and the analysis of the service field data can be completed, and the credible data support is provided for optimizing the service flow.
The embodiment of the invention can realize the data evidence storage through a block chain consensus mechanism and provide a credible data source for the subsequent data combing, summarizing and analyzing.
Based on the content of the above embodiments, before any intelligent mobile terminal adds the security attribute identifier of the generated data to the chain of deposit certificates, the method further includes: and carrying out data transmission audit on the generated security attribute identification of the data.
Specifically, when the security attribute identifier of the data needs to be uplink, data transmission audit is performed on the uplink data before the security attribute identifier of the data is transmitted.
It should be noted that, as a channel for real world information to enter a blockchain, data transmission auditing provides a trusted external data access service for the blockchain. Through the data transmission auditing service, the information under the chain can trigger the action on the chain, and the information barrier between a block chain and the real world is broken. The data transmission auditing service can help the service platform on the chain to butt against various data which are collected by the environment sensing equipment and confirmed by the safety hardware, and the requirements of upper-layer services are met.
The data transmission audit mainly comprises the steps of restricting a uplink service provider by introducing a verification mechanism, ensuring that the uplink service is restricted to be capable of only sending a data uplink provided by a credible data source on the premise of not influencing normal network communication with the assistance of a cryptography method, and verifying the restriction process. Meanwhile, while providing the uplink service, a certification file is generated, and any third party can verify the validity of the whole service process and result through the certification file.
The data transmission audit can provide evidence to the third party auditor to demonstrate network traffic occurring between the third party auditor and the correspondent party. As long as the third party auditor trusts the adversary's public key, the evidence is irrevocable. Data transfer auditing allows a audited party to use https to converse with an adversary so that a third party auditor can verify certain portions of the conversation by temporarily hiding a small portion of the key. The audited party does not reveal any session keys to the third party auditor anyone else at any time, nor does it present or decrypt any data without authentication. Thus, a complete security model of the session is maintained.
According to the embodiment of the invention, the data transmission audit is carried out on the uplink data, so that the safety of the uplink data can be ensured, and the safety of the lightweight block chain platform can be further improved.
When data access is performed, data access control based on multiple security policies is performed first; when the object of data access is the micro service, after the access is authorized, the dynamic audit analysis device can be used for carrying out dynamic audit analysis on the calling of the micro service. However, in the actual service calling process, some specific data can be called through the service, so the dynamic audit analysis device can also be used for carrying out dynamic audit analysis on the specific data.
In the access control and dynamic audit analysis steps, the intelligent mobile terminal generates data, and the data generated in the access control or dynamic audit analysis steps can be stored through a certificate storage chain. The certificate can be stored for other data generated by the intelligent mobile terminal through the certificate storage chain.
And (4) winding up external data of the lightweight block chain platform, and ensuring the safety through data transmission audit.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. It is understood that the above-described technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method of the above-described embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A safety control method for a lightweight blockchain platform, comprising:
the security management module judges whether the identities of a requester and a provider of the access request are legal or not through the intelligent contract;
if the judgment result shows that the identities of the requester and the provider of the access request are both legal, the security management module judges whether the requester has the authority to access the provider according to the intelligent contract and the access control rule list;
if the judgment result is yes, the safety management module allows the requester to access the provider;
after the security management module allows the requester to access the provider, the method further comprises:
the request direction dynamic audit analysis device sends a micro-service request;
the dynamic audit analysis device carries out full life cycle monitoring and audit on the micro-service requested by the micro-service request;
the dynamic audit analysis device comprises a requester dynamic audit module, a provider dynamic audit module and an on-chain audit analysis module;
correspondingly, the specific step of sending the microservice request to the dynamic audit analysis device by the request direction includes:
the requester dynamic auditing module carries out compliance check on the micro-service request;
if the check is passed, the requester dynamic audit module stores a requester log and sends the micro-service request to the provider dynamic audit module;
the specific steps of the dynamic audit analysis device for carrying out full life cycle monitoring and auditing on the micro-service requested by the micro-service request comprise:
the requester dynamic auditing module sends the requester log to the on-chain auditing analysis module;
the provider dynamic audit module carries out compliance check on the microservice request;
if the check is passed, the provider dynamic audit module stores a provider log and sends the micro service request to a micro service module of the provider;
the provider dynamic audit module sends the provider log to the on-chain audit analysis module;
and the dynamic audit analysis device monitors and audits the micro service requested by the micro service request in a full life cycle according to the requester log and the provider log.
2. The method for security control of a lightweight blockchain platform according to claim 1, wherein the security management module further comprises before determining whether the identities of the requester and the provider of the access request are legal according to an intelligent contract:
and recording the security attribute identification of the requester through a distributed data storage device and a hardware private key storage device.
3. The method for security control of a lightweight blockchain platform according to claim 1, wherein the security management module further comprises before determining whether the identities of the requester and the provider of the access request are legal according to an intelligent contract:
and registering the security attribute identification of each datum based on the certificate storing chain.
4. The method for security control of a lightweight blockchain platform according to claim 1, wherein the security management module further comprises before determining whether the identities of the requester and the provider of the access request are legal according to an intelligent contract:
and registering the safety attribute identification of each micro service based on the micro service framework.
5. The method of claim 3, wherein the step of updating the chain of credit comprises:
and for data generated by any intelligent mobile terminal, the intelligent mobile terminal adds the security attribute identifier of the generated data to the evidence storing chain.
6. The safety control method of the lightweight blockchain platform according to claim 5, wherein for any intelligent mobile terminal generated data, the specific step of adding the safety attribute identifier of the generated data to the chain of evidence storage by any intelligent mobile terminal includes:
acquiring a hash value of the generated data, and using the hash value of the generated data as a security attribute identifier of the generated data;
and the any intelligent mobile terminal adds the generated security attribute identifier of the data to the certificate storing chain.
7. The safety control method for the lightweight blockchain platform according to claim 6, wherein for the data generated by any intelligent mobile terminal, after the any intelligent mobile terminal adds the safety attribute identifier of the generated data to the chain of certificates, the method further comprises:
any intelligent mobile terminal sends a consensus request to a block chain network;
each node in the block chain network receives the consensus request and performs consensus on the generated security attribute identification of the data;
and each node in the block chain network records the security attribute identification of the generated data.
8. The method of any of claims 5 to 7, wherein before the step of adding the security attribute identifier of the generated data to the chain of credit, the method further comprises:
and performing data transmission audit on the generated security attribute identification of the data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910919048.5A CN110677407B (en) | 2019-09-26 | 2019-09-26 | Safety control method of lightweight block chain platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910919048.5A CN110677407B (en) | 2019-09-26 | 2019-09-26 | Safety control method of lightweight block chain platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110677407A CN110677407A (en) | 2020-01-10 |
| CN110677407B true CN110677407B (en) | 2022-04-22 |
Family
ID=69079368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910919048.5A Active CN110677407B (en) | 2019-09-26 | 2019-09-26 | Safety control method of lightweight block chain platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110677407B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111723126B (en) * | 2020-05-11 | 2022-09-02 | 杭州电子科技大学 | Block chain-based cold and hot time sequence data classification processing method and storage system |
| CN111597585B (en) * | 2020-05-26 | 2023-08-11 | 牛津(海南)区块链研究院有限公司 | Privacy protection method, system and related components of blockchain data |
| CN112417496A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Method for realizing white list based on intelligent contract based on deep learning |
| CN113411191B (en) * | 2021-08-20 | 2021-11-23 | 深圳前海微众银行股份有限公司 | Data auditing method and device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106296359A (en) * | 2016-08-13 | 2017-01-04 | 深圳市樊溪电子有限公司 | Credible electric power networks transaction platform based on block chain technology |
| CN106991035B (en) * | 2017-04-06 | 2020-04-21 | 北京计算机技术及应用研究所 | Host monitoring system based on micro-service architecture |
| CN108737348A (en) * | 2017-04-21 | 2018-11-02 | 中国科学院信息工程研究所 | A kind of internet of things equipment access control method of the intelligent contract based on block chain |
| CN108256999B (en) * | 2018-01-19 | 2020-08-14 | 阿里巴巴集团控股有限公司 | Capital transfer method and device and electronic equipment |
| CN109117668A (en) * | 2018-08-10 | 2019-01-01 | 广东工业大学 | A kind of identification authorization safety access method based on block chain building |
| CN109190410B (en) * | 2018-09-26 | 2020-05-19 | 华中科技大学 | Log behavior auditing method based on block chain in cloud storage environment |
| CN109376275A (en) * | 2018-10-29 | 2019-02-22 | 上海点融信息科技有限责任公司 | For monitoring the method, apparatus and medium of the operational indicator on block chain |
| CN109302415B (en) * | 2018-11-09 | 2019-11-01 | 四川虹微技术有限公司 | A kind of authentication method, block chain node and storage medium |
-
2019
- 2019-09-26 CN CN201910919048.5A patent/CN110677407B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110677407A (en) | 2020-01-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110677407B (en) | Safety control method of lightweight block chain platform | |
| US20170289134A1 (en) | Methods and apparatus for assessing authentication risk and implementing single sign on (sso) using a distributed consensus database | |
| US8572686B2 (en) | Method and apparatus for object transaction session validation | |
| US20130047202A1 (en) | Apparatus and Method for Handling Transaction Tokens | |
| US8949995B2 (en) | Certifying server side web applications against security vulnerabilities | |
| CN111526156B (en) | Big data based security cloud platform system | |
| US8572690B2 (en) | Apparatus and method for performing session validation to access confidential resources | |
| TW202115643A (en) | Decentralized automatic phone fraud risk management | |
| CN111092960A (en) | Distributed data acquisition system and operation method thereof | |
| CN112862487A (en) | Digital certificate authentication method, equipment and storage medium | |
| US8572724B2 (en) | Method and apparatus for network session validation | |
| CN114338105B (en) | Zero trust based system for creating fort | |
| CN112634040B (en) | Data processing method and device | |
| CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| Ram et al. | Security and privacy concerns in connected cars: A systematic mapping study | |
| CN108694329A (en) | A kind of mobile intelligent terminal security incident based on software and hardware combining is credible record system and method | |
| CN116208401A (en) | Cloud master station access control method and device based on zero trust | |
| CN113037467B (en) | Video Internet of things equipment key certificate management method, device and system | |
| US8572688B2 (en) | Method and apparatus for session validation to access third party resources | |
| Yu et al. | Research on zero trust access control model and formalization based on rail transit data platform | |
| US8726340B2 (en) | Apparatus and method for expert decisioning | |
| CN115801472B (en) | Authority management method and system based on authentication gateway | |
| WO2023071722A1 (en) | Code management method and apparatus | |
| US8601541B2 (en) | Method and apparatus for session validation to access mainframe resources | |
| CN117955866A (en) | Transaction monitoring method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |