CN111274599A - Data sharing method based on block chain and related device - Google Patents
Data sharing method based on block chain and related device Download PDFInfo
- Publication number
- CN111274599A CN111274599A CN202010096196.4A CN202010096196A CN111274599A CN 111274599 A CN111274599 A CN 111274599A CN 202010096196 A CN202010096196 A CN 202010096196A CN 111274599 A CN111274599 A CN 111274599A
- Authority
- CN
- China
- Prior art keywords
- data
- node
- credit investigation
- authorization
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application relates to the technical field of block chains, and provides a data sharing method based on a block chain and a related device. A data sharing method based on a block chain comprises the following steps: acquiring credit investigation data of a transmission node on a block chain; determining an authorization node corresponding to the credit investigation data; determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data; generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data; generating initial shared data according to the access authority granularity, the secret key and the ciphertext data; generating shared data according to the read-write permission range, the secret key and the initial shared data; and transmitting the shared data to the authorized node through a block chain. The technical scheme of the embodiment of the application is beneficial to improving the security of data sharing and realizing multi-dimensional management on data.
Description
Technical Field
The present application relates to the field of block chain technologies, and in particular, to a data sharing method and related apparatus based on a block chain.
Background
With the development of informatization, the security of data is more and more important, and for enterprises, each enterprise has a large amount of credit investigation data aiming at own enterprise clients, and the requirement of the credit investigation data on the security of the data is high.
At present, when data sharing is performed between enterprises, once data sharing is selected, the data can only be completely disclosed, so that higher data leakage risk exists, the data sharing safety is lower, and multi-dimensional management cannot be performed on the data.
Disclosure of Invention
The embodiment of the application provides a data sharing method and a related device based on a block chain, which are beneficial to improving the security of data sharing and realizing multi-dimensional management on data.
A first aspect of the present application provides a data sharing method based on a block chain, including:
acquiring credit investigation data of a transmission node on a block chain;
determining an authorization node corresponding to the credit investigation data;
determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data;
generating initial shared data according to the access authority granularity, the secret key and the ciphertext data;
generating shared data according to the read-write permission range, the secret key and the initial shared data;
and transmitting the shared data to the authorized node through a block chain.
A second aspect of the present application provides a device for sharing data based on a block chain, the device comprising:
the acquisition unit is used for acquiring credit investigation data of the transmission node on the block chain;
a first determining unit, configured to determine an authorized node corresponding to the credit investigation data;
the second determining unit is used for determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
the encryption unit is used for generating a key of the credit investigation data and encrypting the credit investigation data according to the key to obtain ciphertext data;
a first generating unit, configured to generate initial shared data according to the access permission granularity, the key, and the ciphertext data;
the second generation unit is used for generating shared data according to the read-write permission range, the secret key and the initial shared data;
and the transmission unit is used for transmitting the shared data to the authorized node through the block chain.
A third aspect of the present application provides an electronic device comprising a processor, a memory, a communication interface, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps of the method of any of the first aspects of the present application.
A fourth aspect of the present application provides a computer readable storage medium having a computer program stored thereon for execution by a processor to perform some or all of the steps described in any of the methods of the first aspect of the present application.
The block chain-based data sharing method and the related device provided by the application can be used for obtaining credit investigation data of a transmission node on a block chain, determining an authorization node corresponding to the credit investigation data, determining the access right granularity of the authorization node on the credit investigation data and the read-write right range of the authorization node on the credit investigation data, generating a key of the credit investigation data, encrypting the credit investigation data according to the key to obtain ciphertext data, generating initial shared data according to the access right granularity, the key and the ciphertext data, generating shared data according to the read-write right range, the key and the initial shared data, and transmitting the shared data to the authorization node through the block chain. In the data sharing process, the credit investigation data is encrypted through the secret key to obtain ciphertext data, and nodes without authorization cannot decrypt the data, so that the data security is improved, meanwhile, the access authority granularity and the read-write authority range of the authorization node for the credit investigation data are determined, the encrypted data are further processed according to the access authority granularity and the read-write authority range, and the access authority granularity and the read-write authority range of the authorization node for the data are controlled, so that the multidimensional management of the data is realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic diagram of a data sharing system based on a block chain according to an embodiment of the present application;
fig. 2 is a flowchart of a data sharing method based on a block chain according to an embodiment of the present application;
fig. 3 is a flowchart of another block chain-based data sharing method according to an embodiment of the present application;
fig. 4 is a schematic diagram of role-based decryption authorization provided in an embodiment of the present application;
fig. 5 is a schematic diagram of a data sharing apparatus based on a block chain according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device in a hardware operating environment according to an embodiment of the present application.
Detailed Description
The data sharing method and the related device based on the block chain are beneficial to improving the security of data sharing and realizing multi-dimensional management on data.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The following describes embodiments of the present application in detail.
Referring first to fig. 1, fig. 1 is a schematic diagram of a data sharing system 100 based on a blockchain according to an embodiment of the present disclosure. As shown in fig. 1, the data sharing system 100 includes a transmission node 101 and an authorization node 102;
acquiring credit investigation data of a transmission node 101 on a block chain; determining an authorized node 102 corresponding to the credit investigation data; determining the granularity of the access authority of the authorization node 102 to the credit investigation data and the range of the read-write authority of the authorization node 102 to the credit investigation data; generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data; generating initial shared data according to the access authority granularity, the secret key and the ciphertext data; generating shared data according to the read-write permission range, the secret key and the initial shared data; the shared data is transmitted to the authorizing node 102 through a blockchain.
The transmission node 101 and the authorization node 102 include enterprises, banks, financial institutions and the like, the transmission node 101 and the authorization node 102 are located on the same blockchain, and each is an independent node on the blockchain, and the transmission node 101 and the authorization node 102 have the same authority on the blockchain, the blockchain is a decentralized storage and computing technology, and generates a permanent unmodifiable record by overlapping data blocks according to a time sequence, and records the data blocks in each node of the blockchain network, so that a reliable database is maintained in a decentralized manner collectively.
The credit investigation data comprises list verification data, specifically comprising a black list, a gray list, a white list and the like.
On the block chain, the transmission node 101 uploads credit investigation data to the block chain and encrypts the credit investigation data, so that the data privacy and safety of the transmission node 101 can be ensured, the transmission node 101 has the right to the credit investigation data uploaded to the block chain, the authorization node 102 can decrypt ciphertext information, and other nodes on the block chain cannot decrypt the ciphertext information without authorization.
Furthermore, the transmission node 101 may also perform multidimensional management on the credit investigation data, the transmission node 101 determines the access right granularity and the read-write right range of the authorization node 102 on the credit investigation data, the credit investigation data includes data of multiple data types, the authorization node 102 may only access part of the data, the access right granularity is which data in the credit investigation data can be accessed by the authorization node 102 specifically, after the authorization node 102 receives the data shared by the transmission node 101, the data can be accessed or modified, the read-write authority range means that the authorized node 102 can only read data or only write data or can both read data and write data, generates shared data according to the access authority granularity and the read-write authority range, transmits the shared data to the authorization node 102 through the block chain, therefore, the data sharing safety is improved while the data is shared, and the data is subjected to multi-dimensional management.
Referring to fig. 2, fig. 2 is a flowchart of a data sharing method based on a blockchain according to an embodiment of the present disclosure. As shown in fig. 2, a data sharing method based on a block chain according to this embodiment may include:
201. and acquiring credit investigation data of the transmission node on the block chain.
Blockchain is a decentralized storage and computation technique that creates persistent, non-modifiable records by stacking data blocks in chronological order and stores credits in individual nodes of a blockchain network so that a reliable database is maintained collectively in a decentralized manner.
The transmission node includes an enterprise, a bank, a financial institution, and the like, and the transmission node is an independent node on the blockchain. The credit investigation data comprises list verification data, specifically comprising a black list, a gray list, a white list and the like.
202. And determining an authorized node corresponding to the credit investigation data.
The authorization nodes include enterprises, banks, financial institutions and the like, the authorization nodes are independent nodes on the blockchain, and the blockchain type in the embodiment of the application can be a federation chain, that is, the authorization nodes are independent nodes on the federation chain.
On the block chain, the transmission node uploads credit investigation data to the block chain and encrypts the credit investigation data, so that data privacy safety of the transmission node can be guaranteed, the transmission node has the right of the credit investigation data uploaded to the block chain, the authorization node can decrypt ciphertext information, and other nodes on the block chain cannot decrypt the ciphertext information without authorization.
In one possible example, the authorized node corresponding to the credit data may be determined by the transmitting node selecting the authorized node.
In one possible example, a mapping relationship between the data identifier and the node identifier is stored in the blockchain, and the manner of determining the authorized node corresponding to the credit data may be:
acquiring a data identifier of credit investigation data;
inquiring the mapping relation between the data identification and the node identification, and determining the node identification matched with the data identification of the credit investigation data;
and determining the corresponding authorized node according to the node identifier.
Therefore, the node identification corresponding to the data identification of the credit investigation data is searched according to the mapping relation between the data identification and the node identification, so that the authorized node corresponding to the credit investigation data is determined, and automatic authorization can be realized without selecting the authorized node by a transmission node.
203. And determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data.
The transmission node can carry out multi-dimensional management on credit investigation data, the transmission node determines the access authority granularity and the read-write authority range of the authorization node for the credit investigation data, the credit investigation data comprises data of various data types, the authorization node can only access partial data, the access authority granularity is which data in the credit investigation data can be accessed by the authorization node, the authorization node can access or modify the data after receiving the data shared by the transmission node, and the read-write authority range is which the authorization node can only read data or write data or can both read data and write data.
For example, when the credit data is list check data, the credit data includes data of list first class type, list second class type, warehousing label, organization code, unified social credit code, warehousing time, etc., for the authorized node, only data of several types in the credit data may be accessed, for example, the authorized node only accesses data of the first-level type of the list, the second-level type of the list and the like, the access authority granularity of the credit investigation data by the authorization node is, for different authorization nodes, some authorization nodes can read information of the credit investigation data, some authorization nodes can write information of the credit investigation data, some authorization nodes can read information of the credit investigation data and write information of the credit investigation data, and the access authority granularity of the authorization node for the credit investigation data is the read-write authority range of the credit investigation data.
204. And generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data.
In the encryption authorization scheme of the block chain, a one-file-one-secret mode is adopted, namely credit data correspond to a unique key, so that independence between the credit data and other data can be ensured, wherein the method for generating the key can be an AES-128 algorithm.
In one possible example, the method for encrypting the credit data according to the key may be:
dividing credit investigation data into M pieces of domain data according to data types, wherein M is a positive integer;
deriving an M group of domain keys according to the keys;
and respectively encrypting the M pieces of domain data according to the M groups of domain keys, wherein the M groups of domain keys correspond to the M pieces of domain data one by one.
Specifically, credit investigation data is divided into M pieces of domain data according to data types, M is a positive integer, the M pieces of domain data respectively correspond to the M data types, and the M pieces of domain data belong to the same service attribute, i.e. the service attribute belonging to the credit data, since the credit data corresponds to a unique key, therefore, m groups of domain keys can be derived according to the key, each group of domain keys in the M groups of domain keys is used for independently encrypting each piece of domain data in the M pieces of domain data, the M groups of domain keys are in one-to-one correspondence with the M pieces of domain data, therefore, the M pieces of domain data all correspond to one group of independent domain keys, thereby realizing the independent authorization of the M pieces of domain data, so that the authorization node can access some data in the credit investigation data, the credit investigation data does not need to be split and divided into a plurality of data to be transmitted independently, so that independent authorization of different domain data in the same credit investigation data is realized.
205. And generating initial shared data according to the access authority granularity, the key and the ciphertext data.
In one possible example, the method of generating the initial shared data according to the access right granularity, the key and the ciphertext data may be:
determining N data types of the credit investigation data accessible by the authorization node according to the access authority granularity, wherein N is a positive integer not greater than M;
determining N pieces of domain data matched with the N data types;
determining N groups of domain keys corresponding to the N pieces of domain data;
and generating initial shared data, wherein the initial shared data comprises N groups of domain keys and ciphertext data.
Specifically, credit investigation data is divided into M pieces of domain data according to data types, M is a positive integer, the M pieces of domain data respectively correspond to M data types, an authorization node may only access part of the data therein, and the access authority granularity is data which the authorization node can specifically access in the credit investigation data, for example, when the credit investigation data is list verification type data, the credit investigation data includes data of types such as a list first-level type, a list second-level type, a warehousing label, an organization code, a unified social credit code, warehousing time and the like, for the authorization node, data of several types which are characteristic in the credit investigation data may only be accessed, for example, the authorization node only can access the list first-level type, the list second-level type and the like, that is the access authority granularity of the authorization node to the credit investigation data, so that the authorization node can determine the N data types of the credit investigation data which the authorization node can access according to the access authority granularity, n is a positive integer not greater than M.
The M pieces of domain data are divided according to the data types, so that the N pieces of domain data matched with the N data types can be determined according to the N data types, in the process of encrypting credit investigation data, each piece of domain data in the M pieces of domain data is independently encrypted through each group of domain keys in the M groups of domain keys, the M groups of domain keys correspond to the M pieces of domain data one by one, therefore, the M pieces of domain data correspond to one group of independent domain keys, and the N groups of domain keys corresponding to the N pieces of domain data can be determined according to the N pieces of domain data.
And generating initial shared data, wherein the initial shared data comprises N groups of domain keys and ciphertext data, and the authorization node can decrypt the ciphertext only by acquiring the keys, so that the authorization node can only access N pieces of domain data corresponding to the N groups of domain keys according to the N groups of domain keys in the initial shared data.
206. And generating shared data according to the read-write permission range, the secret key and the initial shared data.
In one possible example, the method for generating the shared data according to the read-write right range, the secret key and the initial shared data may be:
and when the read-write permission range comprises the read permission and the write permission, generating shared data, wherein the shared data comprises N groups of domain keys and ciphertext data, and each group of domain key in the N groups of domain keys comprises a symmetric key and an asymmetric key.
Specifically, after receiving the data shared by the transmission nodes, the authorization node may access or modify the data, where the read-write permission range is that the authorization node can only read data or only write data, or can both read data and write data. For different authorization nodes, some authorization nodes can read information of the credit investigation data, some authorization nodes can write information of the credit investigation data, and some authorization nodes can read information of the credit investigation data and write information of the credit investigation data, namely the read-write permission range of the authorization nodes for the credit investigation data.
In the process of encrypting credit investigation data, two keys are required, wherein the first key is a symmetric key and is used for encrypting the credit investigation data, the second key is an asymmetric key and is used for signing an encrypted result, and in the process of authorization, if the symmetric key and the asymmetric key are simultaneously sent to an authorization node, the authorization node simultaneously has read-write permission.
Therefore, when the authorized node includes the read right and the write right to the credit data, shared data is generated, the shared data includes N sets of domain keys and ciphertext data, and each set of domain key in the N sets of domain keys includes a symmetric key and an asymmetric key.
In one possible example, the method for generating the shared data according to the read-write right range, the secret key and the initial shared data may further be:
when the read-write permission range comprises the read permission, shared data is generated, and the shared data comprises a symmetric key and ciphertext data in the N groups of domain keys;
and when the read-write permission range comprises the write permission, generating shared data, wherein the shared data comprises asymmetric keys and ciphertext data in the N groups of domain keys.
Specifically, after receiving the data shared by the transmission nodes, the authorization node may access or modify the data, where the read-write permission range is that the authorization node can only read data or only write data, or can both read data and write data. For different authorization nodes, some authorization nodes can read information of the credit investigation data, some authorization nodes can write information of the credit investigation data, and some authorization nodes can read information of the credit investigation data and write information of the credit investigation data, namely the read-write permission range of the authorization nodes for the credit investigation data.
In the process of encrypting credit investigation data, two keys are required, wherein the first key is a symmetric key and is used for encrypting the credit investigation data, the second key is an asymmetric key and is used for signing an encryption result, in the process of authorization, if only the first key (symmetric key) is sent to an authorization node, the authorization node only has the authority of viewing the data, and if the second key (asymmetric key) is sent to the authorization node, the authorization node has the authority of modifying and deleting the data.
Therefore, when the read-write permission range of the authorization node for the credit investigation data comprises the read permission, shared data is generated, the shared data comprises a symmetric key and ciphertext data in the N groups of domain keys, and when the read-write permission range of the authorization node for the credit investigation data comprises the write permission, the shared data is generated, and the shared data comprises an asymmetric key and ciphertext data in the N groups of domain keys.
207. And transmitting the shared data to the authorized node through a block chain.
After the shared data is transmitted to the authorization node through the block chain, the authorization node receives the shared data, acquires a key and ciphertext data in the shared data, and decrypts the ciphertext data according to the key, so that the data with the authority can be accessed, or written, modified, deleted and the like can be performed.
In one possible example, after transmitting the shared data to the authorized node through the blockchain, the method further includes:
acquiring a node identifier of an authorized node;
acquiring a data identifier of credit investigation data;
establishing a mapping relation between the data identification and the node identification;
and storing the mapping relation on the block chain, wherein the mapping relation is used for determining the node identification according to the data identification.
Specifically, in the data sharing process, the node identifier of each authorized node in the block chain can be further obtained, the data identifier of the credit investigation data is obtained, then the mapping relationship between each data identifier and each node identifier is established, and the mapping relationship is stored in the block chain.
In one possible example, after transmitting the shared data to the authorized node through the blockchain, the method further includes:
setting an authorization time;
when the current time does not exceed the authorization time, the read-write permission range of the shared data by the authorization node is maintained;
and when the current time exceeds the authorization time, sending an access refusing instruction to the authorization node, wherein the access refusing instruction is used for canceling the read-write permission range of the authorization node to the shared data.
Specifically, authorization recovery can be realized by the example, that is, an authorization time is set during authorization, an authorized party (authorization node) is allowed to access data within the authorization time, and the authorized party (authorization node) cannot access the data after the authorization time is exceeded, which is beneficial to improving the privacy security of the data.
In one possible example, when the transmission node uploads the credit data to the block chain, if the transmission node needs to share the credit data to the authorization node, the transmission node does not directly send the private key generated for the credit data to the authorization node, but provides an authorized list of the credit data, and only the owner of the credit data, that is, the transmission node, can modify the authorized list, so that the owner of the data can always keep absolute control over the credit data. For example, the transmission node uploads a contract to the blockchain, some parts of the contract are completed by the transmission node, and other parts of the contract need to be completed by the authorization node, at this time, the transmission node needs to authorize the authority of modifying data to the authorization node, and after the authorization node completes the contract supplementation, the contract enters a secrecy stage, at this time, the transmission node needs to recover the authority of the authorization node to realize authorization recovery.
It can be seen that, with the block chain-based data sharing method provided in this embodiment, credit investigation data of a transmission node on a block chain is obtained, an authorization node corresponding to the credit investigation data is determined, an access right granularity of the authorization node for the credit investigation data and a read-write right range of the authorization node for the credit investigation data are determined, a key of the credit investigation data is generated, the credit investigation data is encrypted according to the key to obtain ciphertext data, initial shared data is generated according to the access right granularity, the key and the ciphertext data, shared data is generated according to the read-write right range, the key and the initial shared data, and the shared data is transmitted to the authorization node through the block chain. In the data sharing process, the credit investigation data is encrypted through the secret key to obtain ciphertext data, and nodes without authorization cannot decrypt the data, so that the data security is improved, meanwhile, the access authority granularity and the read-write authority range of the authorization node for the credit investigation data are determined, the encrypted data are further processed according to the access authority granularity and the read-write authority range, and the access authority granularity and the read-write authority range of the authorization node for the data are controlled, so that the multidimensional management of the data is realized.
Referring to fig. 3, fig. 3 is a flowchart of another block chain-based data sharing method according to another embodiment of the present application. As shown in fig. 3, another method for sharing data based on a block chain according to an embodiment of the present application may include:
301. and acquiring credit investigation data of the transmission node on the block chain.
Blockchain is a decentralized storage and computation technique that creates persistent, non-modifiable records by stacking data blocks in chronological order and stores credits in individual nodes of a blockchain network so that a reliable database is maintained collectively in a decentralized manner.
The transmission node includes an enterprise, a bank, a financial institution, and the like, and the transmission node is an independent node on the blockchain. The credit investigation data comprises list verification data, specifically comprising a black list, a gray list, a white list and the like.
302. And determining an authorized node corresponding to the credit investigation data.
The authorization nodes include enterprises, banks, financial institutions and the like, the authorization nodes are independent nodes on the blockchain, and the blockchain type in the embodiment of the application can be a federation chain, that is, the authorization nodes are independent nodes on the federation chain.
On the block chain, the transmission node uploads credit investigation data to the block chain and encrypts the credit investigation data, so that data privacy safety of the transmission node can be guaranteed, the transmission node has the right of the credit investigation data uploaded to the block chain, the authorization node can decrypt ciphertext information, and other nodes on the block chain cannot decrypt the ciphertext information without authorization.
In one possible example, the authorized node corresponding to the credit data may be determined by the transmitting node selecting the authorized node.
In one possible example, a mapping relationship between the data identifier and the node identifier is stored in the blockchain, and the manner of determining the authorized node corresponding to the credit data may be:
acquiring a data identifier of credit investigation data;
inquiring the mapping relation between the data identification and the node identification, and determining the node identification matched with the data identification of the credit investigation data;
and determining the corresponding authorized node according to the node identifier.
Therefore, the node identification corresponding to the data identification of the credit investigation data is searched according to the mapping relation between the data identification and the node identification, so that the authorized node corresponding to the credit investigation data is determined, and automatic authorization can be realized without selecting the authorized node by a transmission node.
303. And determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data.
The transmission node can carry out multi-dimensional management on credit investigation data, the transmission node determines the access authority granularity and the read-write authority range of the authorization node for the credit investigation data, the credit investigation data comprises data of various data types, the authorization node can only access partial data, the access authority granularity is which data in the credit investigation data can be accessed by the authorization node, the authorization node can access or modify the data after receiving the data shared by the transmission node, and the read-write authority range is which the authorization node can only read data or write data or can both read data and write data.
For example, when the credit data is list check data, the credit data includes data of list first class type, list second class type, warehousing label, organization code, unified social credit code, warehousing time, etc., for the authorized node, only data of several types in the credit data may be accessed, for example, the authorized node only accesses data of the first-level type of the list, the second-level type of the list and the like, the access authority granularity of the credit investigation data by the authorization node is, for different authorization nodes, some authorization nodes can read information of the credit investigation data, some authorization nodes can write information of the credit investigation data, some authorization nodes can read information of the credit investigation data and write information of the credit investigation data, and the access authority granularity of the authorization node for the credit investigation data is the read-write authority range of the credit investigation data.
304. And generating a key for credit data.
In the encryption authorization scheme of the block chain, a one-file-one-secret mode is adopted, namely credit data correspond to a unique key, so that independence between the credit data and other data can be ensured, wherein the method for generating the key can be an AES-128 algorithm.
305. Dividing credit investigation data into M pieces of domain data according to data types, wherein M is a positive integer.
Dividing credit investigation data into M pieces of domain data according to data types, wherein M is a positive integer, the M pieces of domain data respectively correspond to the M data types, and the M pieces of domain data belong to the same service attribute, namely belong to the service attribute of the credit investigation data.
306. And deriving M groups of domain keys according to the keys, and encrypting the M pieces of domain data according to the M groups of domain keys respectively, wherein the M groups of domain keys correspond to the M pieces of domain data one by one.
The credit investigation data corresponds to a unique key, so that M groups of domain keys can be derived according to the key, each group of domain key in the M groups of domain keys is used for independently encrypting each piece of domain data in the M pieces of domain data, the M groups of domain keys correspond to the M pieces of domain data one by one, and therefore the M pieces of domain data correspond to one group of independent domain keys, and independent authorization of the M pieces of domain data is achieved.
307. And determining N data types of the credit investigation data accessible to the authorized node according to the access authority granularity, wherein N is a positive integer not greater than M.
Specifically, credit investigation data is divided into M pieces of domain data according to data types, M is a positive integer, the M pieces of domain data respectively correspond to M data types, an authorization node may only access part of the data therein, and the access authority granularity is data which the authorization node can specifically access in the credit investigation data, for example, when the credit investigation data is list verification type data, the credit investigation data includes data of types such as a list first-level type, a list second-level type, a warehousing label, an organization code, a unified social credit code, warehousing time and the like, for the authorization node, data of several types which are characteristic in the credit investigation data may only be accessed, for example, the authorization node only can access the list first-level type, the list second-level type and the like, that is the access authority granularity of the authorization node to the credit investigation data, so that the authorization node can determine the N data types of the credit investigation data which the authorization node can access according to the access authority granularity, n is a positive integer not greater than M.
308. And determining N pieces of domain data matched with the N data types, and determining N groups of domain keys corresponding to the N pieces of domain data.
The M pieces of domain data are divided according to the data types, so that the N pieces of domain data matched with the N data types can be determined according to the N data types, in the process of encrypting credit investigation data, each piece of domain data in the M pieces of domain data is independently encrypted through each group of domain keys in the M groups of domain keys, the M groups of domain keys correspond to the M pieces of domain data one by one, therefore, the M pieces of domain data correspond to one group of independent domain keys, and the N groups of domain keys corresponding to the N pieces of domain data can be determined according to the N pieces of domain data.
309. And generating initial shared data, wherein the initial shared data comprises N groups of domain keys and ciphertext data.
And generating initial shared data, wherein the initial shared data comprises N groups of domain keys and ciphertext data, and the authorization node can decrypt the ciphertext only by acquiring the keys, so that the authorization node can only access N pieces of domain data corresponding to the N groups of domain keys according to the N groups of domain keys in the initial shared data.
310. And when the read-write permission range comprises the read permission and the write permission, generating shared data, wherein the shared data comprises N groups of domain keys and ciphertext data, and each group of domain key in the N groups of domain keys comprises a symmetric key and an asymmetric key.
Specifically, after receiving the data shared by the transmission nodes, the authorization node may access or modify the data, where the read-write permission range is that the authorization node can only read data or only write data, or can both read data and write data. For different authorization nodes, some authorization nodes can read information of the credit investigation data, some authorization nodes can write information of the credit investigation data, and some authorization nodes can read information of the credit investigation data and write information of the credit investigation data, namely the read-write permission range of the authorization nodes for the credit investigation data.
In the process of encrypting credit investigation data, two keys are required, wherein the first key is a symmetric key and is used for encrypting the credit investigation data, the second key is an asymmetric key and is used for signing an encrypted result, and in the process of authorization, if the symmetric key and the asymmetric key are simultaneously sent to an authorization node, the authorization node simultaneously has read-write permission.
Therefore, when the authorized node includes the read right and the write right to the credit data, shared data is generated, the shared data includes N sets of domain keys and ciphertext data, and each set of domain key in the N sets of domain keys includes a symmetric key and an asymmetric key.
311. And transmitting the shared data to the authorized node through the blockchain.
After the shared data is transmitted to the authorization node through the block chain, the authorization node receives the shared data, acquires a key and ciphertext data in the shared data, and decrypts the ciphertext data according to the key, so that the data with the authority can be accessed, or written, modified, deleted and the like can be performed.
312. And acquiring the node identification of the authorized node.
313. And acquiring the data identification of the credit investigation data.
314. And establishing a mapping relation between the data identification and the node identification, and storing the mapping relation on the block chain, wherein the mapping relation is used for determining the node identification according to the data identification.
Specifically, in the data sharing process, the node identifier of each authorized node in the block chain can be further obtained, the data identifier of the credit investigation data is obtained, then the mapping relationship between each data identifier and each node identifier is established, and the mapping relationship is stored in the block chain.
Referring to fig. 4, fig. 4 is a schematic diagram of split-role decryption authorization provided in an embodiment of the present application. As shown in fig. 4, the nodes in the blockchain are financial institutions, and credit investigation data is shared between the financial institutions.
Specifically, the credit investigation data uploaded by the financial institution a includes a first plaintext, a second plaintext, a third plaintext, and a fourth plaintext, which respectively correspond to a blacklist, a grey list, a green list, and a white list, the financial institution a encrypts the data and uploads the encrypted data to a block chain, which respectively includes a first ciphertext, a second ciphertext, a third ciphertext, and a fourth ciphertext, and in the data sharing process, the first plaintext (blacklist) needs to be transmitted to the financial institution B, the first plaintext (blacklist) and the second plaintext (grey list) need to be transmitted to the financial institution C, and the fourth plaintext (white list) needs to be transmitted to the financial institution D without transmitting data to the financial institution N.
Referring to fig. 5, fig. 5 is a schematic diagram of a data sharing apparatus based on a blockchain according to an embodiment of the present application. As shown in fig. 5, an apparatus for sharing data based on a block chain according to an embodiment of the present application may include:
an obtaining unit 501, configured to obtain credit investigation data of a transmission node on a block chain;
a first determining unit 502, configured to determine an authorized node corresponding to the credit investigation data;
a second determining unit 503, configured to determine the access permission granularity of the authorization node for the credit investigation data and the read-write permission range of the authorization node for the credit investigation data;
an encrypting unit 504, configured to generate a key of the credit investigation data, and encrypt the credit investigation data according to the key to obtain ciphertext data;
a first generating unit 505, configured to generate initial shared data according to the access right granularity, the key, and the ciphertext data;
a second generating unit 506, configured to generate shared data according to the read-write permission range, the secret key, and the initial shared data;
a transmitting unit 507, configured to transmit the shared data to the authorized node through a blockchain.
For specific implementation of the data sharing apparatus based on the block chain, reference may be made to the embodiments of the data sharing method based on the block chain, which are not described herein again.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device in a hardware operating environment according to an embodiment of the present application. As shown in fig. 6, an electronic device of a hardware operating environment according to an embodiment of the present application may include:
a processor 601, such as a CPU.
The memory 602 may alternatively be a high speed RAM memory or a stable memory such as a disk memory.
A communication interface 603 for implementing connection communication between the processor 601 and the memory 602.
Those skilled in the art will appreciate that the configuration of the electronic device shown in fig. 6 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 6, the memory 602 may include therein an operating system, a network communication module, and a program for data sharing. An operating system is a program that manages and controls the hardware and software resources of an electronic device, a program that supports data sharing, and the execution of other software or programs. The network communication module is used for communication among the components in the memory 602, and with other hardware and software in the electronic device.
In the electronic device shown in fig. 6, a processor 601 is configured to execute a program for sharing data stored in a memory 602, and implement the following steps:
acquiring credit investigation data of a transmission node on a block chain;
determining an authorization node corresponding to the credit investigation data;
determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data;
generating initial shared data according to the access authority granularity, the secret key and the ciphertext data;
generating shared data according to the read-write permission range, the secret key and the initial shared data;
and transmitting the shared data to the authorized node through a block chain.
For specific implementation of the electronic device of the present application, reference may be made to various embodiments of the above data sharing method based on a block chain, which are not described herein again.
Another embodiment of the present application provides a computer-readable storage medium storing a computer program for execution by a processor to perform the steps of:
acquiring credit investigation data of a transmission node on a block chain;
determining an authorization node corresponding to the credit investigation data;
determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data;
generating initial shared data according to the access authority granularity, the secret key and the ciphertext data;
generating shared data according to the read-write permission range, the secret key and the initial shared data;
and transmitting the shared data to the authorized node through a block chain.
For specific implementation of the computer-readable storage medium of the present application, reference may be made to the embodiments of the data sharing method based on the block chain, which are not described herein again.
It is also noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application. In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A method for sharing data based on block chains is characterized by comprising the following steps:
acquiring credit investigation data of a transmission node on a block chain;
determining an authorization node corresponding to the credit investigation data;
determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
generating a key of the credit investigation data, and encrypting the credit investigation data according to the key to obtain ciphertext data;
generating initial shared data according to the access authority granularity, the secret key and the ciphertext data;
generating shared data according to the read-write permission range, the secret key and the initial shared data;
and transmitting the shared data to the authorized node through a block chain.
2. The method of claim 1, wherein the encrypting the credit data according to the key comprises:
dividing the credit investigation data into M pieces of domain data according to data types, wherein M is a positive integer;
deriving an M group of domain keys according to the key;
and encrypting the M pieces of domain data according to the M groups of domain keys, wherein the M groups of domain keys correspond to the M pieces of domain data one by one.
3. The method of claim 2, wherein the generating initial shared data from the access right granularity, the key, and the ciphertext data comprises:
determining N data types of the credit investigation data accessible to the authorization node according to the access authority granularity, wherein N is a positive integer not greater than M;
determining N pieces of domain data matched with the N data types;
determining N groups of domain keys corresponding to the N pieces of domain data;
generating the initial shared data, the initial shared data including the N sets of domain keys and the ciphertext data.
4. The method of claim 3, wherein the generating shared data according to the read-write permission range, the key, and the initial shared data comprises:
and when the read-write permission range comprises read permission and write permission, generating the shared data, wherein the shared data comprises the N groups of domain keys and the ciphertext data, and each group of domain key in the N groups of domain keys comprises a symmetric key and an asymmetric key.
5. The method of claim 4, wherein the generating shared data according to the read-write permission range, the secret key and the initial shared data further comprises:
when the read-write permission range comprises the read permission, generating the shared data, wherein the shared data comprises a symmetric key in the N groups of domain keys and the ciphertext data;
and when the read-write permission range comprises the write permission, generating the shared data, wherein the shared data comprises the asymmetric key in the N groups of domain keys and the ciphertext data.
6. The method according to any of claims 1 to 5, wherein after transmitting the shared data to the authorized node via a blockchain, the method further comprises:
acquiring a node identifier of the authorization node;
acquiring a data identifier of the credit investigation data;
establishing a mapping relation between the data identifier and the node identifier;
and storing the mapping relation on a block chain, wherein the mapping relation is used for determining the node identification according to the data identification.
7. The method of claim 6, wherein after the transmitting the shared data to the authorized node via a blockchain, the method further comprises:
setting an authorization time;
when the current time does not exceed the authorization time, maintaining the read-write permission range of the authorization node to the shared data;
and when the current time exceeds the authorization time, sending an access refusing instruction to the authorization node, wherein the access refusing instruction is used for canceling the read-write permission range of the authorization node to the shared data.
8. An apparatus for data sharing based on a blockchain, the apparatus comprising:
the acquisition unit is used for acquiring credit investigation data of the transmission node on the block chain;
a first determining unit, configured to determine an authorized node corresponding to the credit investigation data;
the second determining unit is used for determining the access authority granularity of the authorization node on the credit investigation data and the read-write authority range of the authorization node on the credit investigation data;
the encryption unit is used for generating a key of the credit investigation data and encrypting the credit investigation data according to the key to obtain ciphertext data;
a first generating unit, configured to generate initial shared data according to the access permission granularity, the key, and the ciphertext data;
the second generation unit is used for generating shared data according to the read-write permission range, the secret key and the initial shared data;
and the transmission unit is used for transmitting the shared data to the authorized node through the block chain.
9. An electronic device, comprising a processor, a memory, a communication interface, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which is executed by a processor to implement the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010096196.4A CN111274599A (en) | 2020-02-17 | 2020-02-17 | Data sharing method based on block chain and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010096196.4A CN111274599A (en) | 2020-02-17 | 2020-02-17 | Data sharing method based on block chain and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111274599A true CN111274599A (en) | 2020-06-12 |
Family
ID=70997203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010096196.4A Pending CN111274599A (en) | 2020-02-17 | 2020-02-17 | Data sharing method based on block chain and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111274599A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131316A (en) * | 2020-11-20 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Data processing method and device applied to block chain system |
| CN112328558A (en) * | 2020-10-29 | 2021-02-05 | 厦门大学附属第一医院 | Access log storage method and system of medical system based on block chain |
| CN112446702A (en) * | 2020-11-17 | 2021-03-05 | 深圳市元征科技股份有限公司 | Data verification method and device and node equipment |
| CN112685766A (en) * | 2020-12-15 | 2021-04-20 | 广西大学 | Enterprise credit investigation management method and device based on block chain, computer equipment and storage medium |
| CN113259105A (en) * | 2021-06-23 | 2021-08-13 | 发明之家(北京)科技有限公司 | Block chain data sharing method and system |
| CN113312666A (en) * | 2021-06-04 | 2021-08-27 | 广西大学 | Enterprise credit data declaration system based on block chain |
| CN113496041A (en) * | 2021-07-23 | 2021-10-12 | 永旗(北京)科技有限公司 | Data encryption method based on block chain |
| CN114546271A (en) * | 2022-02-18 | 2022-05-27 | 蚂蚁区块链科技(上海)有限公司 | Data reading and writing method, device and system based on block chain |
-
2020
- 2020-02-17 CN CN202010096196.4A patent/CN111274599A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112328558A (en) * | 2020-10-29 | 2021-02-05 | 厦门大学附属第一医院 | Access log storage method and system of medical system based on block chain |
| CN112446702A (en) * | 2020-11-17 | 2021-03-05 | 深圳市元征科技股份有限公司 | Data verification method and device and node equipment |
| CN112131316A (en) * | 2020-11-20 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Data processing method and device applied to block chain system |
| WO2022105505A1 (en) * | 2020-11-20 | 2022-05-27 | 腾讯科技(深圳)有限公司 | Data processing method and apparatus applied to blockchain system |
| CN112685766A (en) * | 2020-12-15 | 2021-04-20 | 广西大学 | Enterprise credit investigation management method and device based on block chain, computer equipment and storage medium |
| CN113312666A (en) * | 2021-06-04 | 2021-08-27 | 广西大学 | Enterprise credit data declaration system based on block chain |
| CN113312666B (en) * | 2021-06-04 | 2022-06-21 | 广西大学 | Enterprise credit data declaration system based on block chain |
| CN113259105A (en) * | 2021-06-23 | 2021-08-13 | 发明之家(北京)科技有限公司 | Block chain data sharing method and system |
| CN113496041A (en) * | 2021-07-23 | 2021-10-12 | 永旗(北京)科技有限公司 | Data encryption method based on block chain |
| CN114546271A (en) * | 2022-02-18 | 2022-05-27 | 蚂蚁区块链科技(上海)有限公司 | Data reading and writing method, device and system based on block chain |
| CN114546271B (en) * | 2022-02-18 | 2024-02-06 | 蚂蚁区块链科技(上海)有限公司 | Data read-write method, device and system based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109120639B (en) | Data cloud storage encryption method and system based on block chain | |
| Liang et al. | PDPChain: A consortium blockchain-based privacy protection scheme for personal data | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| CN112836229B (en) | Trusted data access control scheme for attribute-based encryption and block chaining | |
| CN111274599A (en) | Data sharing method based on block chain and related device | |
| CN112019591B (en) | Cloud data sharing method based on block chain | |
| CN110855671B (en) | Trusted computing method and system | |
| CN109614818B (en) | Authorized identity-based keyword search encryption method | |
| US10650164B2 (en) | System and method for obfuscating an identifier to protect the identifier from impermissible appropriation | |
| CN100518411C (en) | Dynamic cipher system and method based on mobile communication terminal | |
| CN107959567A (en) | Date storage method, data capture method, apparatus and system | |
| CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
| JP2023500570A (en) | Digital signature generation using cold wallet | |
| CN113420319A (en) | Data privacy protection method and system based on block chain and permission contract | |
| CN106452770A (en) | Data encryption method and apparatus, data decryption method and apparatus, and system | |
| CN111859446A (en) | Agricultural product traceability information sharing-privacy protection method and system | |
| WO2020123926A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| CN112487443A (en) | Energy data fine-grained access control method based on block chain | |
| CN115567312B (en) | Alliance chain data authority management system and method capable of meeting various scenes | |
| CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
| Kumar et al. | Data outsourcing: A threat to confidentiality, integrity, and availability | |
| CN114500069A (en) | Method and system for storing and sharing electronic contract | |
| Bhargav et al. | A review on cryptography in cloud computing | |
| CN103973698A (en) | User access right revoking method in cloud storage environment | |
| CN102752112A (en) | Authority control method and device based on signed message 1 (SM1)/SM2 algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |