CN111212026A - Data processing method and device based on block chain and computer equipment - Google Patents

Data processing method and device based on block chain and computer equipment Download PDF

Info

Publication number
CN111212026A
CN111212026A CN201911149572.5A CN201911149572A CN111212026A CN 111212026 A CN111212026 A CN 111212026A CN 201911149572 A CN201911149572 A CN 201911149572A CN 111212026 A CN111212026 A CN 111212026A
Authority
CN
China
Prior art keywords
data
sub
subdata
secondary node
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911149572.5A
Other languages
Chinese (zh)
Inventor
赖骏
王梦寒
高建欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OneConnect Smart Technology Co Ltd
OneConnect Financial Technology Co Ltd Shanghai
Original Assignee
OneConnect Financial Technology Co Ltd Shanghai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OneConnect Financial Technology Co Ltd Shanghai filed Critical OneConnect Financial Technology Co Ltd Shanghai
Priority to CN201911149572.5A priority Critical patent/CN111212026A/en
Priority to PCT/CN2020/087739 priority patent/WO2021098152A1/en
Publication of CN111212026A publication Critical patent/CN111212026A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data processing method, a device and computer equipment based on a block chain, wherein a data monitoring end and a data providing end are provided with a primary node and a secondary node of the block chain, and the method comprises the following steps: dividing original data into a plurality of subdata; generating a plurality of sub-keys corresponding to the plurality of sub-data; respectively encrypting the sub-data by adopting the sub-keys to generate a plurality of ciphertexts; sending the ciphertext to each primary node of the block chain; judging whether the data monitoring end has the monitoring authority of all the subdata, and if not, determining first subdata with the monitoring authority of the data monitoring end in the plurality of subdata; and sending the first sub-key corresponding to the first sub-data to a secondary node corresponding to the data manager, so that the secondary node corresponding to the data manager can decrypt the ciphertext corresponding to the first sub-data by using the first sub-key. The method can split the original data into separate uplinks, and improves the flexibility of encrypted data processing.

Description

Data processing method and device based on block chain and computer equipment
Technical Field
The invention relates to the field of block chains, in particular to a data processing method and device based on a block chain and computer equipment.
Background
Aiming at the situation that in a block chain network provided with a supervision mechanism, data uploaded by a data provider needs to be monitored by a data supervisor, in order to prevent sensitive data of a user from being randomly accessed by other non-supervisors in a block chain, the data of the user needs to be encrypted and linked up, an authorized key mode is adopted for the data needing to be obtained, and the supervisor can check encrypted data corresponding to the key on the chain after taking the key. In a traditional encryption authorization mode, the whole service data must be authorized to a monitoring party at the same time, so that the overall security and independence of each encrypted data are ensured. However, in actual service requirements, under the condition that there are multiple supervisors and each supervisors has different supervision authorities, if it is desired that different supervisors supervise different contents in the same service data, for example, contents with different attributes in the same service data, the same service data must be split and sent to a block chain, and because these multiple pieces of data belong to the same service data and are associated with each other, and the split and separation also needs to manage the relationship among these multiple pieces of data, such an operation is complicated, which brings great trouble to the encrypted data processing of the service end, and reduces the flexibility of the encrypted data processing.
Disclosure of Invention
The embodiment of the invention provides a data processing method, a data processing device, a storage medium and computer equipment based on a block chain, which are used for solving the problem of low flexibility of encrypted data processing in the prior art.
In a first aspect, an embodiment of the present invention provides a data processing method based on a blockchain, where the blockchain includes a primary node and a secondary node, and a data supervisor end and a data provider end are both configured with the corresponding primary node and secondary node, where the secondary node corresponding to the data supervisor end is used to establish a connection between the data supervisor end and the corresponding primary node, and the secondary node corresponding to the data provider end is used to establish a connection between the data provider end and the corresponding primary node; the method is applied to a data providing end, and comprises the following steps:
acquiring original data, and dividing the original data into a plurality of subdata;
generating a plurality of sub-keys corresponding to the plurality of sub-data one by one;
encrypting each subdata in the subdata by adopting the plurality of subkeys respectively to generate a plurality of ciphertexts corresponding to the subdata one by one;
sending the plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node;
judging whether the data monitoring end has the monitoring authority of all the subdata, if not, determining first subdata with the monitoring authority of the data monitoring end in the plurality of subdata;
and sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data supervisor end, so that the secondary node corresponding to the data supervisor end can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data supervisor end.
Optionally, the dividing the original data into a plurality of sub-data includes:
judging whether the original data is in a JSON format or not;
if not, converting the original data into a JSON format;
and taking each key value pair in the converted original data in the JSON format as sub-data so as to divide the original data into a plurality of sub-data.
Optionally, the generating a plurality of sub keys corresponding to the plurality of sub data one to one includes:
generating a root key, an initial parameter and an appointed stepping value corresponding to the original data;
and performing iterative operation on the root key, the initial parameter and the agreed stepping value based on a preset subkey derivation mechanism to generate a plurality of subkeys corresponding to the plurality of subdata one by one.
Optionally, the generating a root key corresponding to the original data includes:
acquiring a password input by a user and generating a random number;
randomly selecting a first preset algorithm from a plurality of preset algorithms, and calculating the password and the random number based on the first preset algorithm to obtain the root key, wherein each preset algorithm in the plurality of preset algorithms corresponds to a unique algorithm identifier;
and storing the random number and the algorithm identification corresponding to the first preset algorithm in the corresponding secondary node.
Optionally, the method further comprises: if the data manager has the management authority of all the subdata, the generated root key, the initial parameter and the agreed stepping value are sent to the data manager, so that the data manager can perform iterative operation on the root key, the initial parameter and the agreed stepping value according to the subkey derivation mechanism to obtain a subkey corresponding to each subdata, and each subkey is stored in a corresponding secondary node.
In a second aspect, an embodiment of the present invention provides a data encryption apparatus based on a blockchain, including:
the block chain comprises a primary node and a secondary node, and a data supervisor end and a data providing end are respectively provided with the corresponding primary node and the corresponding secondary node, wherein the secondary node corresponding to the data supervisor end is used for establishing the connection between the data supervisor end and the corresponding primary node, and the secondary node corresponding to the data providing end is used for establishing the connection between the data providing end and the corresponding primary node; the data encryption device is applied to a data providing end, and comprises:
the dividing module is used for acquiring original data and dividing the original data into a plurality of subdata;
the first generation module is used for generating a plurality of sub keys which correspond to the plurality of sub data one by one;
the second generation module is used for encrypting each subdata in the subdata by adopting the plurality of subkeys respectively to generate a plurality of ciphertexts corresponding to the subdata one by one;
the first sending module is used for sending the plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node;
the determining module is used for judging whether the data monitoring end has the monitoring authority of all the subdata, and if not, determining first subdata with the monitoring authority of the data monitoring end in the plurality of subdata; and
and the second sending module is used for sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data administrator, so that the secondary node corresponding to the data administrator can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data administrator.
Optionally, the dividing module includes:
the judging unit is used for judging whether the original data is in a JSON format or not;
the conversion unit is used for converting the original data into a JSON format when the original data is not in the JSON format; and
and the dividing unit is used for taking each key value pair in the converted original data in the JSON format as sub-data so as to divide the original data into a plurality of sub-data.
Optionally, the first generating module comprises:
the generating unit is used for generating a root key, an initial parameter and an appointed stepping value corresponding to the original data; and
and the first operation unit is used for performing iterative operation on the root key, the initial parameter and the agreed stepping value based on a preset subkey derivation mechanism to generate a plurality of subkeys in one-to-one correspondence with the plurality of subdata.
In a third aspect, an embodiment of the present invention provides a storage medium, where the storage medium includes a stored program, and when the program runs, a device in which the storage medium is located is controlled to execute the method.
In a fourth aspect, an embodiment of the present invention provides a computer device, including a memory for storing information including program instructions and a processor for controlling execution of the program instructions, the program instructions being loaded and executed by the processor to implement the above method.
It can be understood that, in the embodiment of the present invention, when data encryption is implemented, the original data is divided into different sub-data according to a preset rule, then a plurality of sub-keys are generated, and the sub-keys are used to encrypt the plurality of sub-data, so as to implement separate encryption of the plurality of sub-data of one original data, thereby implementing individual decryption of the plurality of sub-data of the same service data using corresponding sub-keys, and further implementing individual access to different sub-data of the same service data.
In addition, the invention sets the secondary node to butt joint the primary node with the data monitoring end and the data providing end, so that the data monitoring end and the data providing end only need to pass through the node butt joint block chain, the butt joint mode reduces the modification difficulty of the butt joint block chain corresponding to the data monitoring end and the data providing end, saves the implementation time and labor, and meanwhile, the data monitoring end and the data providing end are not directly butt jointed with the primary node of the block chain, thereby further ensuring the safety of the data stored in the primary node.
Drawings
The invention is further illustrated with reference to the following figures and examples.
Fig. 1 is a flowchart of a data processing method based on a block chain according to an embodiment of the present invention;
fig. 2 is a schematic block diagram of a data encryption apparatus according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of a computer device according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The embodiment of the invention provides a data processing method based on a block chain, wherein the block chain comprises a primary node and a secondary node, and a data supervisor end and a data providing end are respectively provided with the corresponding primary node and the corresponding secondary node, wherein the secondary node arranged by the data supervisor end is used for establishing connection between the data supervisor end and the primary node arranged by the data supervisor end, and the secondary node arranged by the data providing end is used for establishing connection between the data providing end and the primary node arranged by the data providing end.
The block chain in the implementation of the present invention may specifically refer to a P2P network system with a distributed data storage structure, where each node is achieved through a consensus mechanism, data in the block chain is distributed in temporally consecutive blocks (blocks), and the latter block contains data digests of the former block, and full backup of data of all or part of the nodes is achieved according to different specific consensus mechanisms (such as POW, POS, DPOS, PBFT, etc.). As is well known to those skilled in the art, since the blockchain system operates under a corresponding consensus mechanism, data that has been recorded in the blockchain database is difficult to be tampered with by any node, and thus the blockchain system has the characteristics of ensuring data security and preventing attack and tampering, which are compared with other centralized database systems. Therefore, in the embodiments provided in the present specification, the "information" provided by the data provider and included by the level one node of the blockchain is not attacked or tampered, so as to ensure the authenticity and fairness of the supervision.
In the embodiment of the present invention, the primary node of the blockchain is an electronic device, such as a tablet Computer, a Personal Computer (PC), or other intelligent devices, that stores data on the blockchain, and the secondary node of the blockchain is a server or a terminal that is used to establish a connection between the data manager/data provider and the primary node and store a key.
The data monitoring end in the embodiment of the present invention is a terminal where an organization performing monitoring responsibilities in information monitoring is located, the data providing end in the embodiment provided in the present invention may specifically be a monitored terminal in information monitoring, and may also be other terminals in data connection with the monitored terminal, the terminal may be, for example, a smart phone, a tablet Computer, a Personal Computer (PC), or other intelligent devices, and the "information" provided by the data providing end is the information data of the monitored object.
In the embodiment of the present invention, a plurality of data policers or data providers of the access block chain may be provided, each data policer or data provider of the access block chain is configured with a corresponding independent secondary node, each data policer or data provider of the access block chain may be configured with an independent primary node, or a plurality of data policers or data providers share a node.
In the embodiment of the invention, a central-Private-Partnership (PPP) system and a provincial finance department system are used as data monitoring terminals, and various social capital, financial institutions, project companies, intermediary institutions and shareholder systems are different data providing terminals.
In the embodiment of the invention, the blockchain also comprises a management node, and the management node of the blockchain manages each secondary node through the CA digital certificate to verify the validity of the secondary node. When the secondary node is connected into the block chain, the legality of the CA digital certificate of the secondary node is checked, if the CA digital certificate of the secondary node is legal, the connection between the secondary node and the primary node is established, and the CA digital certificate is not checked any more in the time of keeping the connection. If the secondary node disconnects from the primary node, the validity of the CA digital certificate needs to be checked when the connection is requested again. The CA digital certificate has a certificate (including a public key) and a private key, and the signature of the CA digital certificate is verified, so that a secondary node corresponding to the CA digital certificate is trusted.
In the embodiment of the invention, the data processing method takes a data providing end as an execution main body, and comprises the following steps:
step S01: the method comprises the steps of obtaining original data and dividing the original data into a plurality of subdata.
Step S02: a plurality of sub-keys corresponding to the plurality of sub-data one to one are generated.
Step S03: and encrypting each subdata in the subdata by adopting a plurality of subkeys to generate a plurality of ciphertexts corresponding to the subdata one by one.
Step S04: and sending the plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node, so that each primary node stores the ciphertexts.
Step S05: judging whether the data supervision end has supervision authorities of all the subdata, and if the data supervision end does not have the supervision authorities of all the subdata, determining first subdata in the subdata, wherein the first subdata is data of which the data supervision end has the supervision authorities;
step S06: and sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data supervisor end, so that the secondary node corresponding to the data supervisor end can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data supervisor end.
It can be understood that, in the embodiment of the present invention, when data encryption is implemented, original data is divided into different sub-data according to a preset rule, then a plurality of sub-keys are generated, and the plurality of sub-data are encrypted by using the sub-keys, so as to implement separate encryption of the plurality of sub-data of one original data, thereby implementing separate decryption of the plurality of sub-data of the same service data by using corresponding sub-keys, and further implementing separate access to different sub-data of the same service data.
In addition, the invention sets the secondary node to butt joint the primary node with the data monitoring end and the data providing end, so that the data monitoring end and the data providing end only need to pass through the node butt joint block chain, the butt joint mode reduces the modification difficulty of the butt joint block chain corresponding to the data monitoring end and the data providing end, saves the implementation time and labor, and meanwhile, the data monitoring end and the data providing end are not directly butt jointed with the primary node of the block chain, thereby further ensuring the safety of the data stored in the primary node.
A specific implementation of the data processing method based on the block chain according to the embodiment of the present invention is described in more detail below with reference to fig. 1.
First, step S01 is executed: the method comprises the steps of obtaining original data and dividing the original data into a plurality of subdata.
Specifically, in the present embodiment, the raw data includes, but is not limited to, data generated during the project process, such as project name, project type, project amount, project feasibility report, environmental assessment report, and value of property assessment report.
Further, step S01: dividing the original data into a plurality of subdata, which may specifically include:
step S011: judging whether the original data is in a JSON format or not;
step S012: if not, converting the original data into a JSON format;
step S013: and taking each key value pair in the converted JSON format original data as one subdata to divide the original data into a plurality of subdata.
Further, if the original data is in the JSON format, the original data may be split into different parts according to key value pairs in the JSON format to obtain different sub-data, that is, each key value pair in the JSON format is used as one sub-data. If the original data is not in the JSON format, the original data is converted into a Key Value pair format, namely, an object in the original data is used as a Key, and the Value or the attribute of the object is used as Value. For example, if the original data is in an array format, after the array format of the data is converted into a JSON object, the Key Value is an index in the array, and the Value is a Value corresponding to the array. After the data to be encrypted is converted into key value pairs, each key value pair is used as sub data, the data to be encrypted is divided into a plurality of sub data, and flexible authorization of the data corresponding to the sub data is further realized through encryption of different sub data. The way of dividing the sub-data may be to divide the sub-data according to the attribute of the data, for example, the data of the same service attribute is in a JSON format, and each Key-Value pair (i.e., Key-Value pair) of the JSON is used as a sub-data (Field in english).
It should be noted that the subdata refers to a data range encrypted by using a key for independent authorization, and two columns of data such as the item name and the manifest price may be one subdata respectively. The JSON, which is a JSON object notation in java script object notation and JSON object notation, is a lightweight data exchange format, and the writing format of JSON data is as follows: name/value pairs.
Then, step S02 is performed to generate a plurality of sub-keys corresponding one-to-one to the plurality of sub-data.
Specifically, in step S02, generating a plurality of sub-keys corresponding to the plurality of sub-data one to one may specifically include:
step S021: generating a root key, an initial parameter and an appointed stepping value corresponding to the original data;
specifically, the initial parameter may be a random number with a fixed length instantly generated by a random number generator inside the data provider, for example, 342, and the initial parameter and the default step value may be preset or instantly generated as the initial parameter.
Step S022: and based on a preset subkey derivation mechanism, performing iterative operation on the root key, the initial parameters and the agreed stepping values to generate a plurality of subkeys corresponding to the plurality of subdata one by one.
Specifically, in the embodiment of the present application, the process of performing iterative operation on the root key, the initial parameter, and the agreed step value to generate a plurality of sub keys corresponding to the plurality of sub data one to one specifically includes: substituting the root key and the initial parameter into a preset first function to obtain a first sub-key, and simultaneously adding the initial parameter and the appointed stepping value to obtain a first variable; then substituting the root key and the first variable into a preset first function to obtain a second sub key, and simultaneously adding the first variable and the appointed stepping value to obtain a second variable; and then substituting the root key and the second variable into a preset first function to obtain a third sub-key, and repeating the steps until a preset number of sub-keys are generated.
For example, when the number of the sub-data is 3, the computing Key1 is BootKey + f (V0), where BootKey is a root Key and V0 is an initial parameter, so as to obtain a first sub-Key 1; then, V1 is calculated to be V0+ stepactor, where stepactor is an appointed step value to obtain a first variable V1, and Key2 is calculated to be BootKey + f (V1) to obtain a second sub-Key 2; then, the first variable V2 is obtained by calculating V2 ═ V1+ stepfacor, and the third sub-Key 3 is obtained by calculating Key3 ═ BootKey + f (V2).
Further, step S021: generating a root key corresponding to the original data may specifically include:
step S0211: acquiring a password input by a user and generating a random number;
the password can be obtained by pressing or clicking on the touchable display screen by the user or inputting through a physical keyboard, and the random number is generated by a random number generation unit inside the data providing terminal.
In the embodiment of the present invention, the password input by the user may be obtained first, and then the random number is generated, or the random number is generated first and then the password input by the user is obtained, which is not limited in the present invention.
Step S0212: randomly selecting a first preset algorithm from a plurality of preset algorithms, and calculating a password and a random number based on the first preset algorithm to obtain a root key, wherein each preset algorithm in the plurality of preset algorithms corresponds to a unique algorithm identifier;
the preset algorithms may include, but are not limited to, a KDF (Key Derivation Function) algorithm, a bcrypt encryption algorithm, a Blowfish algorithm, a DES algorithm, a DESede algorithm, an HmacMD5 algorithm, an HmacSHA1 algorithm, and the like, each algorithm corresponds to a unique algorithm identifier, for example, 1, 2, 3, and the like, and a password and a random number input by a user are used as input data of the preset algorithm, so as to obtain a root Key. Taking KDF algorithm as an example of the first pre-algorithm, computing BootKey (PBKDF 2) (Password, Salt, it), where Password is a Password input by a user, Salt is an internally generated random number, and it is an iteration number, which may be specified according to a user requirement.
Step S0213: and storing the random number and the algorithm identification corresponding to the first preset algorithm in the corresponding secondary node.
Further, after the data provider sends the generated sub-key to the corresponding data manager with the management authority, the data provider deletes the calculated first root key.
When the data providing end needs to query one or more subdata in the original data, the data providing end obtains a ciphertext corresponding to the subdata needing to be queried from a configured secondary node, and then decrypts the ciphertext, wherein the decryption process comprises the following steps: generating prompt information to prompt a user to input a corresponding password, wherein the password is input when the user uploads corresponding original data, determining a first preset algorithm in a plurality of preset algorithms according to a stored algorithm identifier corresponding to the first preset algorithm, then taking the password input by the user and a stored random number as input data of the first preset algorithm to obtain a root key, further obtaining a corresponding sub-key through root key operation, and decrypting through the sub-key to obtain a corresponding plaintext, namely sub-data.
It can be understood that, since the root key is the root of the whole original data key system, storing the root key brings about the hidden security protection danger of the root key, and increases the security risk. Therefore, the invention does not store the root key directly, but stores the parameter (such as random number) for generating the root key and the algorithm identification, so that the security of the whole system is greatly improved. An attacker cannot steal the root key, and cannot crack other keys in the whole key system. Meanwhile, the secondary node generated by the data providing end cannot store all information such as the subkeys, and the use of storage space can be reduced. In addition, the invention increases the flexibility and the safety of generating the root key by using the input password of the user as the generation parameter of the root key.
Next, step S03 is executed to encrypt each sub-data of the sub-data by using the sub-keys, and generate a plurality of ciphertexts corresponding to the sub-data one by one.
Specifically, for example, if the plurality of subdata are respectively a project name, a project amount and an enterprise name, the project name can be encrypted by using the Key1, so that the project name can be accessed independently by using the Key 1; the Key2 is used for encrypting the amount of the project, so the Key2 can be used for independently accessing the amount of the project, the Key3 is used for encrypting the enterprise name, and the Key3 can be used for independently accessing the enterprise name, so that different subdata are respectively and correspondingly encrypted by using different subkeys, and further, the independent authorization and access of different subdata of the same service data by using the independent keys are realized.
Then, step S04 is executed to send multiple ciphertexts to each primary node of the block chain through the corresponding secondary node, and each primary node of the block chain receives the ciphertexts and stores the ciphertexts.
More specifically, when each primary node stores the ciphertext, different indexes are respectively established for different ciphertexts, so that the data monitor terminal and the data providing terminal can query the corresponding ciphertext according to the different indexes.
And then, executing a step S05, namely judging whether the data supervision end has the supervision authority of all the subdata, and if not, determining the first subdata with the supervision authority in the plurality of subdata.
In the embodiment of the present invention, the monitoring authority of the data monitoring terminal for the sub-data may be set by the user, for example, after the data providing terminal divides the original data into a plurality of sub-data, each sub-data is displayed on the display interface, so that the user can view and select the sub-data authorized by each data monitoring terminal.
Further, the data processing method further comprises: if the data supervisor end has the supervision authority of all the subdata, the generated root key, the initial parameters and the agreed stepping values are sent to the data supervisor end, so that the data supervisor end can perform iterative operation on the root key, the initial parameters and the agreed stepping values according to a subdomain derivation mechanism to obtain a subdomain corresponding to each subdomain and store the subdomain corresponding to each subdomain in a corresponding secondary node, and then the root key is deleted, wherein the data supervisor end and the data providing end are both configured with algorithms corresponding to the subdomain derivation mechanism.
It can be understood that, if the data administrator has administration rights of all the subdata, the generated root key, the initial parameter and the agreed stepping value are sent to the secondary node corresponding to the data administrator, so that the corresponding data administrator can obtain the sub-key corresponding to each subdata according to the root key, the initial parameter and the agreed stepping value, thereby obtaining the plaintext of each subdata. The data providing end is not required to send the sub-key corresponding to each sub-data to the secondary node corresponding to the data monitoring end, so that the data transmission load of the communication network and the use of the storage space of each secondary node are reduced.
Next, step S06 is executed: and sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data supervisor end, so that the secondary node corresponding to the data supervisor end can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data supervisor end.
Further, in order to further improve the security, before the data providing end sends the generated root key, the initial parameter and the agreed step value to the secondary node corresponding to the data administrator, or before the first sub-key corresponding to the first sub-data in the plurality of sub-keys is sent to the secondary node configured by the data administrator, the secondary node corresponding to the data administrator and the secondary node corresponding to the data providing end also verify the data administrator and the data providing end, respectively, wherein the specific process of verifying the data providing end by the secondary node corresponding to the data providing end includes: the method comprises the steps that a secondary node corresponding to a data providing end judges whether the data providing end is in a legal time limit, if not, a token verification request is sent to the data providing end, the secondary node corresponding to the data providing end receives a token of the data providing end and judges whether the token of the data providing end is legal, and if the token of the data providing end is legal, the data providing end is confirmed to pass verification; similarly, the specific process of verifying the data monitoring end by the secondary node corresponding to the data monitoring end comprises the following steps: the second-level node corresponding to the data supervision end judges whether the data supervision end is in a legal period, if not, a token verification request is sent to the data supervision end, the second-level node corresponding to the data supervision end receives a token of the data supervision end and judges whether the token of the data supervision end is legal, and if the token of the data supervision end is legal, the data supervision end is determined to pass the verification. And when the data providing end and the data monitoring end pass the verification, the data providing end sends the generated root key, the initial parameter and the appointed stepping value to a secondary node corresponding to the data monitoring end, or sends a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node configured by the data monitoring end.
It should be noted that, in the data encryption method of each of the above embodiments, the technical features included in different embodiments may be recombined as needed to obtain a combined implementation, but all of them are within the protection scope claimed in the present application.
Referring to fig. 2, the present invention provides a data encryption apparatus 1 based on a block chain, including:
the block chain comprises a primary node and a secondary node, and the data supervisor end and the data providing end are respectively provided with the corresponding primary node and the corresponding secondary node, wherein the secondary node corresponding to the data supervisor end is used for establishing the connection between the data supervisor end and the corresponding primary node, and the secondary node corresponding to the data providing end is used for establishing the connection between the data providing end and the corresponding primary node; the data encryption device is applied to a data providing end, and the data encryption device 1 comprises:
the dividing module 11 is configured to obtain original data and divide the original data into a plurality of subdata;
a first generating module 12, configured to generate a plurality of sub-keys corresponding to the plurality of sub-data one to one;
a second generating module 13, configured to encrypt each of the plurality of subdata by using a plurality of subkeys, and generate a plurality of ciphertexts corresponding to the plurality of subdata one to one;
the first sending module 14 is configured to send a plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node;
the determining module 15 is configured to determine whether the data monitoring end has the monitoring authority of all the subdata, and if not, determine, in the plurality of subdata, first subdata of which the data monitoring end has the monitoring authority; and
the second sending module 16 is configured to send a first sub-key corresponding to the first sub-data in the multiple sub-keys to a second-stage node corresponding to the data administrator, so that the second-stage node corresponding to the data administrator can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data administrator.
Further, the dividing module 11 includes:
the judging unit is used for judging whether the original data is in a JSON format or not;
the conversion unit is used for converting the original data into a JSON format when the original data is not in the JSON format; and
and the dividing unit is used for taking each key value pair in the converted JSON-format original data as one subdata so as to divide the original data into a plurality of subdata.
Further, the first generating module 12 includes:
the generating unit is used for generating a root key, an initial parameter and an appointed stepping value corresponding to the original data; and
and the first operation unit is used for performing iterative operation on the root key, the initial parameters and the appointed stepping value based on a preset subkey derivation mechanism to generate a plurality of subkeys which are in one-to-one correspondence with the plurality of subdata.
Further, the generation unit includes:
the acquisition subunit is used for acquiring the password input by the user and generating a random number;
the operation subunit is used for randomly selecting a first preset algorithm from the plurality of preset algorithms, and operating the password and the random number based on the first preset algorithm to obtain a root key, wherein each preset algorithm in the plurality of preset algorithms corresponds to a unique algorithm identifier; and
and the storage subunit is used for storing the random number and the algorithm identifier corresponding to the first preset algorithm in the corresponding secondary node.
Optionally, the data encryption apparatus 1 further comprises: and the third sending module is used for sending the generated root key, the initial parameter and the agreed stepping value to the data monitoring end when the data monitoring end has the monitoring right of all the subdata, so that the data monitoring end can perform iterative operation on the root key, the initial parameter and the agreed stepping value according to a subkey derivation mechanism to obtain a subkey corresponding to each subdata, and store each subkey in a corresponding secondary node.
The embodiment of the invention provides a storage medium, which comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute the data processing method in the implementation embodiment.
Referring to fig. 3, an embodiment of the present invention provides a computer device, where the computer device 50 of the embodiment includes: the processor 51, the memory 52, and the computer program 53 stored in the memory 52 and capable of running on the processor 51, where the computer program 53 is executed by the processor 51 to implement the data processing method based on the block chain in the embodiment, and for avoiding repetition, details are not repeated herein. Alternatively, the computer program is executed by the processor 51 to implement the functions of each model/unit in the data processing apparatus 1 in the embodiment, which are not described herein again to avoid redundancy.
The computing device 50 may be a desktop computer, a notebook, a palm top computer, a cloud server, or other computing device. The computer device 50 may include, but is not limited to, a processor 51, a memory 52. Those skilled in the art will appreciate that fig. 3 is merely an example of a computer device 50 and is not intended to limit the computer device 50 and that it may include more or fewer components than shown, or some components may be combined, or different components, e.g., the computer device may also include input output devices, network access devices, buses, etc.
The Processor 51 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 52 may be an internal storage unit of the computer device 50, such as a hard disk or a memory of the computer device 50. The memory 52 may also be an external storage device of the computer device 50, such as a plug-in hard disk provided on the computer device 50, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 52 may also include both internal and external storage devices for the computer device 50. The memory 52 is used for storing computer programs and other programs and data required by the computer device. The memory 52 may also be used to temporarily store data that has been output or is to be output.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a Processor (Processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A data processing method based on a block chain is characterized in that the block chain comprises a primary node and a secondary node, and a data supervisor end and a data providing end are respectively provided with the corresponding primary node and the corresponding secondary node, wherein the secondary node corresponding to the data supervisor end is used for establishing connection between the data supervisor end and the corresponding primary node, and the secondary node corresponding to the data providing end is used for establishing connection between the data providing end and the corresponding primary node; the method is applied to a data providing end, and comprises the following steps:
acquiring original data, and dividing the original data into a plurality of subdata;
generating a plurality of sub-keys corresponding to the plurality of sub-data one by one;
encrypting each subdata in the subdata by adopting the plurality of subkeys respectively to generate a plurality of ciphertexts corresponding to the subdata one by one;
sending the plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node;
judging whether the data monitoring end has the monitoring authority of all the subdata, if not, determining first subdata with the monitoring authority of the data monitoring end in the plurality of subdata;
and sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data supervisor end, so that the secondary node corresponding to the data supervisor end can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data supervisor end.
2. The method of claim 1, wherein the dividing the original data into a plurality of sub-data comprises:
judging whether the original data is in a JSON format or not;
if not, converting the original data into a JSON format;
and taking each key value pair in the converted original data in the JSON format as sub-data so as to divide the original data into a plurality of sub-data.
3. The method of claim 1, wherein the generating a plurality of subkeys corresponding one-to-one to the plurality of subdata comprises:
generating a root key, an initial parameter and an appointed stepping value corresponding to the original data;
and performing iterative operation on the root key, the initial parameter and the agreed stepping value based on a preset subkey derivation mechanism to generate a plurality of subkeys corresponding to the plurality of subdata one by one.
4. The method of claim 3, wherein the generating a root key corresponding to the original data comprises:
acquiring a password input by a user and generating a random number;
randomly selecting a first preset algorithm from a plurality of preset algorithms, and calculating the password and the random number based on the first preset algorithm to obtain the root key, wherein each preset algorithm in the plurality of preset algorithms corresponds to a unique algorithm identifier;
and storing the random number and the algorithm identification corresponding to the first preset algorithm in the corresponding secondary node.
5. The method of claim 1, wherein the method further comprises: if the data manager has the management authority of all the subdata, the generated root key, the initial parameter and the agreed stepping value are sent to the data manager, so that the data manager can perform iterative operation on the root key, the initial parameter and the agreed stepping value according to the subkey derivation mechanism to obtain a subkey corresponding to each subdata, and each subkey is stored in a corresponding secondary node.
6. A data encryption device based on a block chain is characterized in that the block chain comprises a primary node and a secondary node, and a data supervisor end and a data providing end are respectively provided with the corresponding primary node and the corresponding secondary node, wherein the secondary node corresponding to the data supervisor end is used for establishing the connection between the data supervisor end and the corresponding primary node, and the secondary node corresponding to the data providing end is used for establishing the connection between the data providing end and the corresponding primary node; the data encryption device is applied to a data providing end, and comprises:
the dividing module is used for acquiring original data and dividing the original data into a plurality of subdata;
the first generation module is used for generating a plurality of sub keys which correspond to the plurality of sub data one by one;
the second generation module is used for encrypting each subdata in the subdata by adopting the plurality of subkeys respectively to generate a plurality of ciphertexts corresponding to the subdata one by one;
the first sending module is used for sending the plurality of ciphertexts to each primary node of the block chain through the corresponding secondary node;
the determining module is used for judging whether the data monitoring end has the monitoring authority of all the subdata, and if not, determining first subdata with the monitoring authority of the data monitoring end in the plurality of subdata; and
and the second sending module is used for sending a first sub-key corresponding to the first sub-data in the plurality of sub-keys to a secondary node corresponding to the data administrator, so that the secondary node corresponding to the data administrator can decrypt a ciphertext corresponding to the first sub-data by using the first sub-key to obtain a plaintext and return the plaintext to the data administrator.
7. The method of claim 6, wherein the partitioning module comprises:
the judging unit is used for judging whether the original data is in a JSON format or not;
the conversion unit is used for converting the original data into a JSON format when the original data is not in the JSON format; and
and the dividing unit is used for taking each key value pair in the converted original data in the JSON format as sub-data so as to divide the original data into a plurality of sub-data.
8. The method of claim 6, wherein the first generation module comprises:
the generating unit is used for generating a root key, an initial parameter and an appointed stepping value corresponding to the original data; and
and the first operation unit is used for performing iterative operation on the root key, the initial parameter and the agreed stepping value based on a preset subkey derivation mechanism to generate a plurality of subkeys in one-to-one correspondence with the plurality of subdata.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when executed, controls an apparatus in which the storage medium is located to perform the method of any one of claims 1 to 5.
10. A computer device comprising a memory for storing information including program instructions and a processor for controlling execution of the program instructions, characterized in that: the program instructions, when loaded and executed by a processor, implement the method of any one of claims 1 to 5.
CN201911149572.5A 2019-11-21 2019-11-21 Data processing method and device based on block chain and computer equipment Pending CN111212026A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201911149572.5A CN111212026A (en) 2019-11-21 2019-11-21 Data processing method and device based on block chain and computer equipment
PCT/CN2020/087739 WO2021098152A1 (en) 2019-11-21 2020-04-29 Blockchain-based data processing method, device, and computer apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911149572.5A CN111212026A (en) 2019-11-21 2019-11-21 Data processing method and device based on block chain and computer equipment

Publications (1)

Publication Number Publication Date
CN111212026A true CN111212026A (en) 2020-05-29

Family

ID=70788016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911149572.5A Pending CN111212026A (en) 2019-11-21 2019-11-21 Data processing method and device based on block chain and computer equipment

Country Status (2)

Country Link
CN (1) CN111212026A (en)
WO (1) WO2021098152A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021098152A1 (en) * 2019-11-21 2021-05-27 深圳壹账通智能科技有限公司 Blockchain-based data processing method, device, and computer apparatus
CN113660270A (en) * 2021-08-17 2021-11-16 区块动力(广州)科技有限公司 Block chain transaction processing and authority management method thereof
WO2022068362A1 (en) * 2020-09-29 2022-04-07 深圳壹账通智能科技有限公司 Block chain-based information processing method and apparatus, device, and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6917684B1 (en) * 1999-08-31 2005-07-12 Matsushita Electric Industrial Co., Ltd. Method of encryption and decryption with block number dependant key sets, each set having a different number of keys
CN110061840A (en) * 2019-03-12 2019-07-26 平安科技(深圳)有限公司 Data ciphering method, device, computer equipment and storage medium
WO2019174430A1 (en) * 2018-03-14 2019-09-19 郑杰骞 Block chain data processing method, management terminal, user terminal, conversion device, and medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10114969B1 (en) * 2015-08-04 2018-10-30 Jordan White Chaney Ultra-secure blockchain-based electronic information transfer system
CN109639753B (en) * 2018-10-26 2021-08-17 众安信息技术服务有限公司 Data sharing method and system based on block chain
CN110083372B (en) * 2019-03-07 2023-06-16 上海七印信息科技有限公司 Block chain data version upgrading method
CN109977697A (en) * 2019-04-03 2019-07-05 陕西医链区块链集团有限公司 Data authorization method of block chain
CN111212026A (en) * 2019-11-21 2020-05-29 深圳壹账通智能科技有限公司 Data processing method and device based on block chain and computer equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6917684B1 (en) * 1999-08-31 2005-07-12 Matsushita Electric Industrial Co., Ltd. Method of encryption and decryption with block number dependant key sets, each set having a different number of keys
WO2019174430A1 (en) * 2018-03-14 2019-09-19 郑杰骞 Block chain data processing method, management terminal, user terminal, conversion device, and medium
CN110061840A (en) * 2019-03-12 2019-07-26 平安科技(深圳)有限公司 Data ciphering method, device, computer equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021098152A1 (en) * 2019-11-21 2021-05-27 深圳壹账通智能科技有限公司 Blockchain-based data processing method, device, and computer apparatus
WO2022068362A1 (en) * 2020-09-29 2022-04-07 深圳壹账通智能科技有限公司 Block chain-based information processing method and apparatus, device, and medium
CN113660270A (en) * 2021-08-17 2021-11-16 区块动力(广州)科技有限公司 Block chain transaction processing and authority management method thereof
CN113660270B (en) * 2021-08-17 2024-02-06 区块动力(广州)科技有限公司 Blockchain transaction processing and authority management method thereof

Also Published As

Publication number Publication date
WO2021098152A1 (en) 2021-05-27

Similar Documents

Publication Publication Date Title
KR102467596B1 (en) Blockchain implementation method and system
US20200084027A1 (en) Systems and methods for encryption of data on a blockchain
US20190305938A1 (en) Threshold secret share authentication proof and secure blockchain voting with hardware security modules
CN110061845A (en) Block chain data ciphering method, device, computer equipment and storage medium
CN111130757A (en) Multi-cloud CP-ABE access control method based on block chain
CN109067528A (en) Crypto-operation, method, cryptographic service platform and the equipment for creating working key
CN110881063A (en) Storage method, device, equipment and medium of private data
CN101815091A (en) Cipher providing equipment, cipher authentication system and cipher authentication method
CN111131336B (en) Resource access method, device, equipment and storage medium under multi-party authorization scene
CN108632385B (en) Time sequence-based cloud storage privacy protection method for multi-branch tree data index structure
CN109347625A (en) Crypto-operation, method, cryptographic service platform and the equipment for creating working key
CN111212026A (en) Data processing method and device based on block chain and computer equipment
Yan et al. Integrity audit of shared cloud data with identity tracking
CN114584306B (en) Data processing method and related device
CN109981287A (en) A kind of code signature method and its storage medium
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
US20230237437A1 (en) Apparatuses and methods for determining and processing dormant user data in a job resume immutable sequential listing
CN113411187A (en) Identity authentication method and system, storage medium and processor
CN115495768A (en) Secret-related information processing method and system based on block chain and multi-party security calculation
Junghanns et al. Engineering of secure multi-cloud storage
Yang et al. Protecting personal sensitive data security in the cloud with blockchain
CN116827821B (en) Block chain cloud-based application program performance monitoring method
Salem et al. An efficient privacy preserving public auditing mechanism for secure cloud storage
Neela et al. A Hybrid Cryptography Technique with Blockchain for Data Integrity and Confidentiality in Cloud Computing
Raja et al. An enhanced study on cloud data services using security technologies

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200529

RJ01 Rejection of invention patent application after publication