CN111010386A - Privacy protection and data supervision control method based on shared account book - Google Patents

Privacy protection and data supervision control method based on shared account book Download PDF

Info

Publication number
CN111010386A
CN111010386A CN201911258785.1A CN201911258785A CN111010386A CN 111010386 A CN111010386 A CN 111010386A CN 201911258785 A CN201911258785 A CN 201911258785A CN 111010386 A CN111010386 A CN 111010386A
Authority
CN
China
Prior art keywords
account book
key
symmetric key
fragment
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911258785.1A
Other languages
Chinese (zh)
Other versions
CN111010386B (en
Inventor
张曙华
杨安荣
路斌
胡东平
魏爱红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Zhongxin Information Development Co ltd
Original Assignee
Shanghai Zhongxin Information Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Zhongxin Information Development Co ltd filed Critical Shanghai Zhongxin Information Development Co ltd
Priority to CN201911258785.1A priority Critical patent/CN111010386B/en
Publication of CN111010386A publication Critical patent/CN111010386A/en
Application granted granted Critical
Publication of CN111010386B publication Critical patent/CN111010386B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a privacy protection and data supervision control method based on a shared account book, which comprises the following steps: establishing a shared account book authority model by using an intelligent contract technology according to the authority requirement of participant data control; the provider encrypts, authorizes and links the transaction data; the supervisor checks the shared account book, and applies for the symmetric key fragment from the operator to check the ciphertext data of the account book; and the utilization party acquires the symmetric key and uses the ledger ciphertext data. The invention realizes the data supervision control of the restriction between the operator and the supervisor.

Description

Privacy protection and data supervision control method based on shared account book
Technical Field
The invention relates to the technical field of block chains, in particular to a privacy protection and data supervision control method based on a shared account book.
Background
The block chain is a distributed book technology, and the public and transparent characteristics of the block chain cause serious threats to the privacy of users. For commercial establishments, sharing important asset and transaction information can easily reveal trade secrets and compromise the interests of the establishment. Furthermore, regulatory agencies are limited in that user privacy is difficult to effectively participate in regulation. How to solve the problems of privacy protection and data supervision control is a challenge in the business application landing process of the current block chain technology.
With the development of blockchain technology, many solutions for solving the user privacy problem exist at present, and based on, for example, mixed coins, out-of-chain storage, account book isolation, encryption protection, identity confusion, zero knowledge proof, and the like, the most common in a block chain technology platform of an alliance chain are the following: the account book access control method based on the channel comprises an account book isolation technology based on the channel, an access control technology based on an intelligent contract and an account book privacy data encryption technology based on the channel.
The prior patent application CN110335043A discloses a transaction privacy protection method, device and system based on a blockchain system, which achieves the purpose that a privacy field is readable only to a designated party by encrypting key data that needs privacy protection in a transaction, and implements efficient privacy encryption by a method of matching symmetric encryption and asymmetric encryption. However, the inventor of the present invention finds that the method does not consider protection of the key itself, data leakage is also easily caused by loss and cracking of the key, and in a federation chain application platform, management of the key mainly depends on an operator, and a supervisor cannot be separated from technical dependence of the operator.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a privacy protection and data supervision control method based on a shared account book, and realize data supervision control restricted by an operator and a supervisor.
The technical scheme adopted by the invention for solving the technical problems is as follows: the privacy protection and data supervision control method based on the shared account book comprises the following steps:
(1) establishing a shared account book authority model by using an intelligent contract technology according to the authority requirement of participant data control;
(2) the provider encrypts, authorizes and links the transaction data;
(3) the supervisor checks the shared account book, and applies for the symmetric key fragment from the operator to check the ciphertext data of the account book;
(4) and the utilization party acquires the symmetric key and uses the ledger ciphertext data.
The shared account book authority model in the step (1) comprises a shared account book, an authorized account book of a utilization party, an authorized account book of an operation party and an authorized account book of a monitoring party.
The step (2) specifically comprises the following steps:
(21) generating a symmetric key by adopting a symmetric encryption algorithm;
(22) encrypting the ciphertext part of the shared account book by adopting a symmetric encryption algorithm and the symmetric key;
(23) acquiring transaction certificates of a user, an operator and a supervisor, and acquiring transaction public keys of the transaction certificates;
(24) and (3) authorizing by the provider: the provider encrypts the symmetric key by using the transaction public key of the provider, and writes the encrypted symmetric key into a user authorized account book, an operator authorized account book and a supervisor authorized account book;
(25) and key fragment authorization: parity fragmentation is carried out on the symmetric key to obtain a fragment A and a fragment B, the fragment A is encrypted by using a public key of an operator and is written into an authorized account book of the operator; and encrypting the fragment B by using the public key of the supervisor, and writing the fragment B into the supervisor authorization account book.
The symmetric key in step (21) includes a 16-bit root key and a 16-bit dynamic key, and the generation process is as follows:
carrying out AES 128-bit encryption by transaction certificate number and date, and taking the first 16 bits to generate a root key;
selecting numbers, letters and special symbols as seed characters, wherein the numbers are marked as N, the letters are marked as Z, the special symbols are marked as T,the dynamic key is Nx+Zx+TxWherein x is the number of bits of the dynamic key, when N isxWhen the value of (1) is greater than 9, the maximum value is obtained for the first time, and the digit of x is subtracted from the maximum value for the second time and later;
combining the 16-bit root key and the 16-bit dynamic key to generate a symmetric key;
the symmetric key is encrypted using the MD5 encryption algorithm to generate 32-bit ciphertext data.
The step (3) specifically comprises the following steps:
(31) the method comprises the following steps that a supervisor makes a supervision application to an operator for data to be supervised;
(32) the operator decrypts the fragment A of the symmetric key by using the own transaction private key, and encrypts the fragment A of the symmetric key by using the public key of the supervisor;
(33) the supervisor decrypts the fragment A and the fragment B of the symmetric key by using the own key to obtain the symmetric key;
(34) and the supervisor decrypts the ciphertext part of the shared account book by using the symmetric key.
The step (4) specifically comprises the following steps:
(41) when a user carries out transaction, a ciphertext part of the shared account book is obtained according to the plaintext part of the shared account book;
(42) the user inquires and obtains the ciphertext of the symmetric key in the user authorized account book;
(43) the user decrypts the symmetric key by using the transaction public key of the user to obtain a plaintext of the symmetric key;
(44) and decrypting the ciphertext part of the shared account book by using the symmetric key, and performing corresponding business operation by using the decrypted data.
When the key needs to be updated, the symmetric key recovery processing is performed on the historical data of the shared account book, and the method specifically comprises the following steps:
the provider submits the new public key to the operator to apply for recovering data;
the operator decrypts the fragment A of the symmetric key in the operator authorized account book by using the private key of the operator, encrypts by using the new public key of the provider, and writes into the user authorized account book;
the provider submits the new public key to the supervisor to apply for recovering data;
the supervisor decrypts the fragment B of the symmetric key in the supervisor authorization account book by using the private key of the supervisor, encrypts by using the new public key of the provider, and writes into the user authorization account book;
the provider traverses the account book authorized by the user, decrypts the fragment A and the fragment B of the symmetric key by using the transaction private key of the provider, and synthesizes the symmetric key again;
and encrypting the synthesized symmetric key by using the transaction public key, and storing the encrypted symmetric key into an authorized account book of the user.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention realizes the authorization of legal utilization parties and the confidentiality of unauthorized utilization parties through data encryption, and realizes the data supervision control of the restriction of an operator and a supervisor through the fragment storage of the symmetric key of the ciphertext data in the shared account book. The invention not only can realize the encryption protection of the sensitive data of the shared account book, but also can prevent the supervisors from leaking the data in batches, thereby realizing effective data supervision control. The invention only saves the ciphertext of the symmetric key in the user authorized account book, the supervisor authorized account book and the operator authorized account book, and has less system storage data and high access efficiency. When a transaction key (public and private key pair) of a provider is replaced, the invention can regenerate the ciphertext of the symmetric key by using a new public key of the provider, thereby ensuring that the historical data is available.
Drawings
FIG. 1 is a flow chart of an embodiment of the present invention;
FIG. 2 is a schematic diagram of a shared ledger permissions model in an embodiment of the invention;
FIG. 3 is a flow chart of transaction data encryption in an embodiment of the invention;
fig. 4 is a flow chart of data supervision according to an embodiment of the present invention.
Detailed Description
The invention will be further illustrated with reference to the following specific examples. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and such equivalents may fall within the scope of the present invention as defined in the appended claims.
The embodiment of the invention relates to a privacy protection and data supervision control method based on a shared account book, which realizes authorization of legal utilization parties and confidentiality of unauthorized utilization parties by establishing an account book data authority model and applying data encryption, realizes data supervision control of restriction between an operator and a supervisor by fragmentally storing symmetric keys of ciphertext data in the shared account book, and meets the utilization and supervision requirements of each participant on the account book.
According to the method, according to the operation types of the participated nodes in the alliance, the participated parties are divided into four types:
a provider: and participating in the transaction process to generate transaction data which is responsible for data encryption authorization and uplink.
The utilization method comprises the following steps: and participating in the transaction process, and utilizing the shared book data by using the transaction data.
The monitoring party: does not participate in the transaction process and supervises the transaction data.
The operator: the data is not involved in the transaction process, and is authorized when the supervisor supervises the data.
As shown in fig. 1, the privacy protection and data supervision control method based on the shared ledger of the present embodiment mainly includes the following steps:
1. and establishing a shared account book authority model according to the participant data control authority requirement.
2. During the transaction, the operator acts as a provider to encrypt and authorize the transaction data and to uplink it.
3. And the supervisor checks the shared account book and applies for the symmetric key fragments from the operator to check the ciphertext data of the account book.
4. During the transaction process, the operator is used as a utilization party to obtain the symmetric key and use the account book ciphertext data.
5. When the key is lost or leaked and needs to be updated, the historical data is ensured to be available by carrying out symmetric key recovery processing on the historical data of the shared ledger.
The shared account book authority modeling is mainly to establish an authority model of the shared account book by using an intelligent contract technology. The authority model of the shared account book consists of the shared account book, an authorized account book by a utilization party, an authorized account book by an operator and an authorized account book by a monitoring party. As shown in particular in fig. 2.
Each ledger is described in detail as follows:
sharing the account book: the transaction ID is mainly recorded, and a plaintext part and a ciphertext part of the account book are shared, wherein the ciphertext part is obtained by encrypting sensitive data by using a symmetric key.
The user authorizes the account book: the transaction ID, the user ID and the ciphertext of the symmetric key are mainly recorded. Wherein the ciphertext of the symmetric key is obtained by encrypting the symmetric key using the public key of the provider. The cryptograph of the symmetric key comprises a symmetric key A piece cryptograph and a symmetric key B piece cryptograph, the symmetric key A piece cryptograph and the symmetric key B piece cryptograph are used when the transaction key is replaced, and the initial value is null;
the operator authorizes the account book: the transaction ID, the operator ID and the ciphertext (fragment A) of the symmetric key are mainly recorded, and as the operator does not check the data authority, the ciphertext of the symmetric key B fragment does not appear in the account book.
The administrator authorizes the account book: the transaction ID, the supervisor ID, the symmetric key supervision fragment ciphertext (fragment B) and the symmetric key operation fragment ciphertext (fragment A) are mainly recorded (initially empty, and the evaluation is carried out after the operator audits).
The embodiment adopts a local encryption mode to carry out business privacy protection on the shared account book formed in the transaction process. The account book structure of partial encryption mainly comprises public information (plaintext part) and sensitive information (ciphertext part), the account book is authorized by the utilization party, the account book is authorized by the operation party, and the account book is authorized by the monitoring party. The specific process is shown in fig. 3, and comprises the following steps:
1. and generating a symmetric key according to a symmetric encryption algorithm set by a system, wherein the symmetric key consists of a 16-bit root key and a 16-bit dynamic key. The specific process is as follows:
(1) generating a 16-bit root key: carrying out AES 128-bit encryption by transaction certificate number + date, and taking the first 16 bits to generate a root key;
(2) and generating a 16-bit dynamic key, wherein the algorithm is as follows:
the method selects numbers, letters and special symbols as seed characters, and the embodiment takes the following steps:
the number: 1-9, denoted as N;
letter: A-Z, denoted as Z;
the special symbol [ "- [ \\ \ ]. <.
The dynamic key is Nx+Zx+Tx
Wherein m is the digit number of the dynamic key, x is the array subscript, the x initial value changes to 1-7, represents monday to sunday, changes along with the change of the generated symmetric key, and if it is tuesday, x is 2. And so on until 16-bit character, if NxIf the number of bits is greater than 9, the maximum value is obtained for the first time, and the number of bits of x is subtracted from the maximum value for the second time and later. If it is saturday, the dynamic key is:
dynamic key 1 ═ 6+ F + #
Dynamic key 2 ═ 7+ G + $
Dynamic secret key 3 ═ 8+ H + ^ c
Dynamic key 4 ═ 9+ I + &
Dynamic key 5 ═ 9+ J +
Dynamic key 6 ═ 9-6) + K + (, and so on up to 16-bit characters.
(3) Combining the 16-bit root key and the 16-bit dynamic key to generate a symmetric key;
(4) the symmetric key is encrypted using the MD5 encryption algorithm to generate 32-bit ciphertext data.
2. Encrypting the ciphertext part of the shared account book by adopting a symmetric encryption algorithm and the symmetric key obtained in the step 1;
3. acquiring transaction certificates of a utilizing party, an operating party and a monitoring party according to system setting, and acquiring a transaction public key from the transaction certificates;
4. and (3) authorizing by the provider: the provider encrypts the symmetric key by using the transaction public key of the provider, and writes the encrypted symmetric key into a user authorized account book, an operator authorized account book and a supervisor authorized account book;
5. and key fragment authorization: the symmetric key performs parity slicing. Encrypting the fragment A by using a public key of an operator, and writing the fragment A into an authorized account book of the operator; and encrypting the fragment B by using the public key of the supervisor, and writing the fragment B into the supervisor authorization account book.
The specific fragmentation method and encryption algorithm are as follows:
(1) dividing the symmetric key generated in the step 1 into odd number A fragments and even number B fragments according to the odd number and the even number of bytes;
(2) performing CRC16 check on the fragment A and the fragment B respectively to form respective 18-byte key fragments;
(3) performing BASE64 encoding on the key fragments in the step (2);
(4) encrypting the fragment A by using the public key of the operator, and writing the fragment A into an authorized account book of the operator;
(5) and encrypting the fragment B by using the public key of the supervisor, and writing the fragment B into the authorized account book of the supervisor.
And the monitoring party extracts the public data from the shared ledger according to the public events or at random. And applying for a piece A of the symmetric key to the operator according to the public data ID. And after the public key A piece is obtained, the public key A piece is decrypted to generate a symmetric key so as to realize supervision on the secret data in the shared account book. As shown in fig. 4, the specific steps are as follows:
1. the supervisor uses the public part of the shared account book to inquire;
2. the method comprises the following steps that a supervisor makes a supervision application to an operator for data to be supervised;
3. the operator decrypts the symmetric key A slice by using the transaction private key of the operator, and encrypts the symmetric key A slice by using the public key of the supervisor;
4. the supervisor decrypts the symmetric key A slice and the symmetric key B slice by using the own key, and decodes by using BASE64 coding to obtain the symmetric key;
5. and the supervisor decrypts the ciphertext part of the shared account book by using the acquired symmetric key.
When the utilization party carries out transaction, the data in the shared account book needs to be checked and utilized in real time. In the transaction process, the specific operation of acquiring the ciphertext part of the account book is as follows:
1. when a user carries out a transaction, a ciphertext part of the account book is obtained according to the public part of the account book;
2. inquiring a ciphertext of the obtained symmetric key in an authorized account book of the utilizing party;
3. decrypting the symmetric key by using the transaction public key to obtain a plaintext of the symmetric key;
4. and decrypting the acquired ciphertext part of the account book by using the symmetric key, and performing corresponding business operation by using the decrypted data.
After the transaction key of the provider is leaked or lost, the provider needs to re-encrypt the symmetric key in the shared account book by using a new public key, and the specific operation steps are as follows:
1. the provider submits the new public key to the operator to apply for recovering data;
2. the operator decrypts the piece A of the symmetric key in the account book authorized by the operator by using the private key of the operator, encrypts the piece A by using the new public key of the provider to form a piece A of the symmetric key encrypted by using the new public key, and writes the piece A into the account book authorized by the user;
3. the provider submits the new public key to the supervisor to apply for recovering data;
4. the supervisor decrypts the B piece of the symmetric key in the supervisor authorization account book by using the private key of the supervisor, and encrypts by using the new public key of the provider to form the B piece of the symmetric key encrypted by using the new public key, and writes the B piece of the symmetric key into the user authorization account book;
5. the provider traverses the account book authorized by the user, decrypts the A piece and the B piece of the symmetric key encrypted by the new public key by using the transaction private key of the provider, and synthesizes the symmetric key again.
6. And encrypting the synthesized symmetric key by using the transaction public key, and storing the encrypted symmetric key into an authorized account book of the user.
The invention can realize the authorization of a legal user and the secrecy of an unauthorized user through data encryption, and realize the data supervision control of the restriction of an operator and a supervisor through the fragment storage of the symmetric key of the ciphertext data in the shared account book. The invention not only can realize the encryption protection of the sensitive data of the shared account book, but also can prevent the supervisors from leaking the data in batches, thereby realizing effective data supervision control. The invention only saves the ciphertext of the symmetric key in the user authorized account book, the supervisor authorized account book and the operator authorized account book, and has less system storage data and high access efficiency. When a transaction key (public and private key pair) of a provider is replaced, the invention can regenerate the ciphertext of the symmetric key by using a new public key of the provider, thereby ensuring that the historical data is available.

Claims (7)

1. A privacy protection and data supervision control method based on a shared account book is characterized by comprising the following steps:
(1) establishing a shared account book authority model by using an intelligent contract technology according to the authority requirement of participant data control;
(2) the provider encrypts, authorizes and links the transaction data;
(3) the supervisor checks the shared account book, and applies for the symmetric key fragment from the operator to check the ciphertext data of the account book;
(4) and the utilization party acquires the symmetric key and uses the ledger ciphertext data.
2. The method of claim 1, wherein the method comprises the steps of,
the shared account book authority model in the step (1) comprises a shared account book, an authorized account book of a utilization party, an authorized account book of an operation party and an authorized account book of a monitoring party.
3. The method of claim 1, wherein the method comprises the steps of,
the step (2) specifically comprises the following steps:
(21) generating a symmetric key by adopting a symmetric encryption algorithm;
(22) encrypting the ciphertext part of the shared account book by adopting a symmetric encryption algorithm and the symmetric key;
(23) acquiring transaction certificates of a user, an operator and a supervisor, and acquiring transaction public keys of the transaction certificates;
(24) and (3) authorizing by the provider: the provider encrypts the symmetric key by using the transaction public key of the provider, and writes the encrypted symmetric key into a user authorized account book, an operator authorized account book and a supervisor authorized account book;
(25) and key fragment authorization: parity fragmentation is carried out on the symmetric key to obtain a fragment A and a fragment B, the fragment A is encrypted by using a public key of an operator and is written into an authorized account book of the operator; and encrypting the fragment B by using the public key of the supervisor, and writing the fragment B into the supervisor authorization account book.
4. The method of claim 1, wherein the method comprises the steps of,
the symmetric key in step (21) includes a 16-bit root key and a 16-bit dynamic key, and the generation process is as follows: carrying out AES 128-bit encryption by transaction certificate number and date, and taking the first 16 bits to generate a root key;
selecting numbers, letters and special symbols as seed characters, wherein the numbers are marked as N, the letters are marked as Z, the special symbols are marked as T, and then the dynamic secret key m is Nx+Zx+TxWherein m is the number of bits of the dynamic key, x is the index of the array, and when N isxWhen the value of (1) is greater than 9, the maximum value is obtained for the first time, and the digit of x is subtracted from the maximum value for the second time and later;
combining the 16-bit root key and the 16-bit dynamic key to generate a symmetric key;
the symmetric key is encrypted using the MD5 encryption algorithm to generate 32-bit ciphertext data.
5. The method of claim 1, wherein the method comprises the steps of,
the step (3) specifically comprises the following steps:
(31) the method comprises the following steps that a supervisor makes a supervision application to an operator for data to be supervised;
(32) the operator decrypts the fragment A of the symmetric key by using the own transaction private key, and encrypts the fragment A of the symmetric key by using the public key of the supervisor;
(33) the supervisor decrypts the fragment A and the fragment B of the symmetric key by using the own key to obtain the symmetric key;
(34) and the supervisor decrypts the ciphertext part of the shared account book by using the symmetric key.
6. The method of claim 1, wherein the method comprises the steps of,
the step (4) specifically comprises the following steps:
(41) when a user carries out transaction, a ciphertext part of the shared account book is obtained according to the plaintext part of the shared account book;
(42) the user inquires and obtains the ciphertext of the symmetric key in the user authorized account book;
(43) the user decrypts the symmetric key by using the transaction public key of the user to obtain a plaintext of the symmetric key;
(44) and decrypting the ciphertext part of the shared account book by using the symmetric key, and performing corresponding business operation by using the decrypted data.
7. The method of claim 1, wherein the method comprises the steps of,
when the key needs to be updated, the symmetric key recovery processing is performed on the historical data of the shared account book, and the method specifically comprises the following steps:
the provider submits the new public key to the operator to apply for recovering data;
the operator decrypts the fragment A of the symmetric key in the operator authorized account book by using the private key of the operator, encrypts by using the new public key of the provider, and writes into the user authorized account book;
the provider submits the new public key to the supervisor to apply for recovering data;
the supervisor decrypts the fragment B of the symmetric key in the supervisor authorization account book by using the private key of the supervisor, encrypts by using the new public key of the provider, and writes into the user authorization account book;
the provider traverses the account book authorized by the user, decrypts the fragment A and the fragment B of the symmetric key by using the transaction private key of the provider, and synthesizes the symmetric key again;
and encrypting the synthesized symmetric key by using the transaction public key, and storing the encrypted symmetric key into an authorized account book of the user.
CN201911258785.1A 2019-12-10 2019-12-10 Privacy protection and data supervision control method based on shared account book Active CN111010386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911258785.1A CN111010386B (en) 2019-12-10 2019-12-10 Privacy protection and data supervision control method based on shared account book

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911258785.1A CN111010386B (en) 2019-12-10 2019-12-10 Privacy protection and data supervision control method based on shared account book

Publications (2)

Publication Number Publication Date
CN111010386A true CN111010386A (en) 2020-04-14
CN111010386B CN111010386B (en) 2021-12-21

Family

ID=70114336

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911258785.1A Active CN111010386B (en) 2019-12-10 2019-12-10 Privacy protection and data supervision control method based on shared account book

Country Status (1)

Country Link
CN (1) CN111010386B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567247A (en) * 2022-08-31 2023-01-03 西安电子科技大学 Decentralized multi-authority privacy protection data access control method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium
CN108768633A (en) * 2018-05-30 2018-11-06 腾讯科技(深圳)有限公司 Realize the method and device of information sharing in block chain
US20190318356A1 (en) * 2018-04-17 2019-10-17 Coinbase, Inc. Offline storage system and method of use

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979590A (en) * 2017-11-02 2018-05-01 财付通支付科技有限公司 Data sharing method, client, server, computing device and storage medium
US20190318356A1 (en) * 2018-04-17 2019-10-17 Coinbase, Inc. Offline storage system and method of use
CN108768633A (en) * 2018-05-30 2018-11-06 腾讯科技(深圳)有限公司 Realize the method and device of information sharing in block chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567247A (en) * 2022-08-31 2023-01-03 西安电子科技大学 Decentralized multi-authority privacy protection data access control method and system
CN115567247B (en) * 2022-08-31 2024-03-19 西安电子科技大学 Decentralized multi-authority privacy protection data access control method and system

Also Published As

Publication number Publication date
CN111010386B (en) 2021-12-21

Similar Documents

Publication Publication Date Title
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN104486315B (en) A kind of revocable key outsourcing decryption method based on contents attribute
CN1939028B (en) Accessing protected data on network storage from multiple devices
US9704159B2 (en) Purchase transaction system with encrypted transaction information
CN106104562A (en) Safety of secret data stores and recovery system and method
CN104158880B (en) User-end cloud data sharing solution
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN103957109A (en) Cloud data privacy protection security re-encryption method
CN104253694A (en) Encrypting method for network data transmission
CN105933345B (en) It is a kind of that outsourcing attribute base encryption method can verify that based on linear privacy sharing
CN105722067A (en) Mobile terminal data encryption/decryption method and mobile terminal data encryption/decryption device
CN104270242A (en) Encryption and decryption device used for network data encryption transmission
CN204180095U (en) A kind of ciphering and deciphering device for network data encryption transmission
CN104660590A (en) Cloud storage scheme for file encryption security
CN105721146B (en) A kind of big data sharing method towards cloud storage based on SMC
JP2022550774A (en) Key generation for use in secure communications
CN108768636A (en) A method of restoring private key using multi-party collaboration
CN111010386B (en) Privacy protection and data supervision control method based on shared account book
CN116318696B (en) Proxy re-encryption digital asset authorization method under condition of no initial trust of two parties
CN111428267A (en) Distributed enterprise information management system and method based on information sharing mechanism
CN115204876A (en) Quantum security U shield equipment and method for mobile payment
CN110048852A (en) Quantum communications service station Signcryption method and system based on unsymmetrical key pond
CN115834038A (en) Encryption method and device based on national commercial cryptographic algorithm
CN109726583A (en) Cloud data base encryption server system
TWI430643B (en) Secure key recovery system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 200040, room 710, 302 Changping Road, Shanghai, Jingan District

Applicant after: Shanghai Xinlian Information Development Co., Ltd

Address before: 200040, room 710, 302 Changping Road, Shanghai, Jingan District

Applicant before: SHANGHAI ZHONGXIN INFORMATION DEVELOPMENT Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant