CN111291399B - Data encryption method, system, computer system and computer readable storage medium - Google Patents

Data encryption method, system, computer system and computer readable storage medium Download PDF

Info

Publication number
CN111291399B
CN111291399B CN202010149130.7A CN202010149130A CN111291399B CN 111291399 B CN111291399 B CN 111291399B CN 202010149130 A CN202010149130 A CN 202010149130A CN 111291399 B CN111291399 B CN 111291399B
Authority
CN
China
Prior art keywords
key
transaction
state
data
root key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010149130.7A
Other languages
Chinese (zh)
Other versions
CN111291399A (en
Inventor
帅斌成
王云浩
过晓冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN202010149130.7A priority Critical patent/CN111291399B/en
Publication of CN111291399A publication Critical patent/CN111291399A/en
Application granted granted Critical
Publication of CN111291399B publication Critical patent/CN111291399B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The present disclosure provides a data encryption method, which is applied to any one blockchain node in a blockchain network, and the method includes: responding to a transaction request from a client, and executing a transaction logic corresponding to the transaction request to obtain transaction data; acquiring a root key of a block chain network; calculating by using the root key to obtain a state key corresponding to the transaction request; and encrypting the transaction data by using the state key corresponding to the transaction request to obtain encrypted state data. The present disclosure also provides a data encryption system, a computer system, and a computer-readable storage medium.

Description

Data encryption method, system, computer system and computer readable storage medium
Technical Field
The present disclosure relates to a data encryption method, a data encryption system, a computer system, and a computer-readable storage medium.
Background
The block chain has the characteristics of decentralization, openness, transparency and information non-falsification, and a trust infrastructure based on the block chain can be constructed on the basis of the characteristics, so that the circulation of data and value between organizations is accelerated. But due to the open, transparent nature of blockchains, private data within or between organizations is not suitable for being deposited on blockchains. Data privacy issues are becoming an important factor limiting the value and area of blockchain applications. In the related art, a side chain isolation technology is generally adopted to store the private data, such as a Channel mechanism of Fabric, and a party related to the private data adopts a new chain to realize data exchange. But this scheme is poorly scalable, with privacy data correlation Fang Yueduo requiring more side chains.
Disclosure of Invention
One aspect of the present disclosure provides a data encryption method, applied to any one blockchain node in a blockchain network, where the method includes: responding to a transaction request from a client, and executing a transaction logic corresponding to the transaction request to obtain transaction data; acquiring a root key of the block chain network; calculating by using the root key to obtain a state key corresponding to the transaction request; and encrypting the transaction data by using the state key corresponding to the transaction request to obtain encrypted state data.
Optionally, the obtaining the root key of the blockchain network includes: calling a key management chain code, wherein in the process of changing the root key each time, the block number of the block written with the root key change transaction is recorded through the key management chain code; and acquiring the latest root key according to the block number of the block written with the latest root key change transaction recorded in the key management chain code.
Optionally, each of the block chain nodes has a corresponding state database, where the state database includes historical encrypted state data obtained by encrypting transaction data using a historical state key, and the executing a transaction logic corresponding to the transaction request includes: reading target historical encryption state data related to the transaction request from the state database; acquiring a target historical state key corresponding to the target historical encryption state data; decrypting the target historical encrypted state data based on the target historical state key to obtain decrypted state data; and executing transaction logic to the decrypted state data to obtain the transaction data.
Optionally, the obtaining of the target history status key corresponding to the target history encryption status data includes: determining the block number of a block recording the transaction which modifies the target historical encryption state data for the last time; determining a target historical root key according to the block number of the block recording the transaction which modifies the target historical encryption state data for the last time; and calculating the target history state key by using the target history root key.
Optionally, before responding to the transaction request from the client, the transaction request from the client is obtained through the user chain code.
Wherein, obtaining the root key of the block chain network comprises: calling a key management chain code through the user chain code; and acquiring the root key of the block chain network from a state database through the key management chain code.
Wherein the obtaining of the state key corresponding to the transaction request by using the root key includes: acquiring a chain code key of the user chain code; and calculating to obtain a state key corresponding to the transaction request by using the chain code key of the user chain code and the root key.
Optionally, the obtaining, by using the root key, a state key corresponding to the transaction request includes: and calculating to obtain a state key corresponding to the transaction request by using the root key and the transaction identifier corresponding to the transaction request.
Another aspect of the present disclosure provides a data encryption system applied to any blockchain node in a blockchain network, where the system includes: the execution module is used for responding to a transaction request from a client and executing a transaction logic corresponding to the transaction request to obtain transaction data; an obtaining module, configured to obtain a root key of the blockchain network; the computing module is used for computing a state key corresponding to the transaction request by utilizing the root key; and the encryption module is used for encrypting the transaction data by using the state key corresponding to the transaction request to obtain encrypted state data.
Optionally, the obtaining module includes: a calling unit, configured to call a key management chain code, where in each root key change process, a block number of a block in which a root key change transaction is written is recorded by the key management chain code; and a first obtaining unit configured to obtain the latest root key according to the block number of the block in which the latest root key change transaction is written, which is recorded in the key management chain code.
Optionally, each of the block link nodes has a corresponding state database, where the state database includes historical encrypted state data obtained by encrypting transaction data using a historical state key, and the execution module includes: a reading unit, configured to read target historical encryption status data related to the transaction request from the status database; a second obtaining unit configured to obtain a target history status key corresponding to the target history encrypted status data; a decryption unit, configured to decrypt the target historical encrypted state data based on the target historical state key to obtain decrypted state data; and the execution unit is used for executing the transaction logic on the decryption state data to obtain the transaction data.
Optionally, the second obtaining unit includes: a first determining subunit, configured to determine a block number of a block in which a transaction that modifies the target historical encryption state data last time is recorded; a second determining subunit, configured to determine a target history root key according to the block number of the block in which the transaction that modified the target history encryption status data last time is recorded; and a calculating subunit, configured to calculate the target history state key by using the target history root key.
Optionally, before responding to the transaction request from the client, the transaction request from the client is obtained through the user chain code.
The acquisition module is used for calling a key management chain code through the user chain code; acquiring a root key of the block chain network from a state database through the key management chain code;
the computing module is further configured to obtain a chain code key of the user chain code; and calculating to obtain a state key corresponding to the transaction request by using the chain code key of the user chain code and the root key.
Optionally, the computing module is configured to compute, by using the root key and the transaction identifier corresponding to the transaction request, a state key corresponding to the transaction request.
Another aspect of the present disclosure provides a computer system, applied to any blockchain node in a blockchain network, the computer system including: a processor; a computer readable storage medium storing one or more programs which, when executed by the processor, cause the processor to implement the method as described above.
Another aspect of the disclosure provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement the method as described above.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario in which a data encryption method, system, and computer system may be applied, according to embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of data encryption according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a flow chart for obtaining a root key of a blockchain network according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram for executing transactional logic corresponding to a transactional request in accordance with an embodiment of the disclosure;
FIG. 5 schematically illustrates a flow diagram for obtaining a target historical state key corresponding to target historical encrypted state data, in accordance with an embodiment of the disclosure;
FIG. 6 schematically shows a flow diagram of a method of data encryption according to another embodiment of the present disclosure;
FIG. 7 schematically illustrates a system diagram in which a method of data encryption may be performed according to another embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a data encryption system according to an embodiment of the present disclosure; and
FIG. 9 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "A, B and at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include, but not be limited to, systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
Blockchains can be generally classified into public chains (public chains) and permission chains (permissioned chains). The permission chain may be divided into a federation chain (consortium) and a private chain (private chain) according to whether the data maintainer is a single entity (entity).
In the field of privacy protection, with the requirement of GDPR (General data protection Regulation, abbreviated as GDPR) proposed by the european union, the owner of data also has a requirement for providing privacy protection. Data privacy issues are becoming an important factor limiting the value and area of blockchain applications. In general, a storage key may be generated based on the blockchain and then the data on the blockchain may be encrypted with the key.
The embodiment of the disclosure provides a data encryption method, which is applied to any one block chain node in a block chain network, and the method comprises the steps of responding to a transaction request from a client, executing transaction logic corresponding to the transaction request, and obtaining transaction data; acquiring a root key of a block chain network; calculating by using the root key to obtain a state key corresponding to the transaction request; and encrypting the transaction data by using the state key corresponding to the transaction request to obtain encrypted state data.
Fig. 1 schematically illustrates an application scenario in which a data encryption method, system, and computer system may be applied according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of a scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the application scenario illustrates a blockchain network 100, wherein the blockchain network 100 may include nodes (peers) 1 to 5. Nodes 1-5 may collectively maintain blockchain 102.
Nodes 1-5 may be various computing nodes having the same or different computing capabilities. Such as a personal computer, a web server, a database server, a smart phone, etc., without limitation. Any two nodes from the node 1 to the node 5 can carry out point-to-point communication. Each node in the nodes 1 to 5 executes each transaction and operation in the block chain network according to a certain rule.
The block chain 102 may be a distributed database of blocks linked in chronological order by hash pointers. Blocks of the block chain are added according to the time sequence, when a preset condition is met, each node in the block chain network allows a current node to create the block and add the block into the block chain, and the added block is used as the current latest block on the block chain. At a certain moment in time, the system is, the node maintaining the same blockchain obtains the same current latest block from the blockchain.
According to an embodiment of the present disclosure, the blockchain network 100 may operate based on a Fabric project (hereinafter, referred to as a "Fabric system") of a hyper ledger (hyper book), and the present disclosure provides a method for encrypting uplink data based on a Fabric system, where all private data is encrypted before being written into a blockchain, where the private data may be transaction data defined according to different actual requirements and requiring privacy protection. For example, the data may be price data, volume of transaction, etc. in the transaction data. It should be noted that the Fabric system is merely an example to illustrate the implementation principle of the present disclosure, and the embodiments of the present disclosure can also be applied to other types of blockchain systems, which is not limited herein.
It should be noted that the number of nodes in the blockchain network 100 and the number of blocks in the blockchain 102 shown in fig. 1 are merely illustrative, and the present disclosure does not limit the number of nodes and the number of blocks.
Fig. 2 schematically shows a flow chart of a data encryption method according to an embodiment of the present disclosure.
The data encryption method is applied to any one blockchain node in a blockchain network as shown in fig. 1, and the blockchain network may include a plurality of blockchain nodes. As shown in fig. 2, the method includes operations S210 to S240.
In operation S210, in response to the transaction request from the client, the transaction logic corresponding to the transaction request is executed, and transaction data is obtained.
According to the embodiment of the disclosure, the transaction request may be, for example, a transaction-type transaction request such as a transfer transaction request, a purchase transaction request, or other non-transaction-type transaction request, for example, an authentication transaction request, an authority authentication transaction request, or the like.
In operation S220, a root key of the blockchain network is acquired.
According to an embodiment of the present disclosure, the root key of the blockchain network is a system-level key, which is unique throughout the system and can be maintained by a key management chain code. The root key of the blockchain network may be stored in the privacy state database.
In operation S230, a state key corresponding to the transaction request is calculated using the root key.
According to the embodiment of the present disclosure, the manner of obtaining the state key corresponding to the transaction request by using the root key is not limited. For example, a state key corresponding to the transaction request may be calculated using the root key and the transaction identification corresponding to the transaction request. Wherein each transaction request has a corresponding transaction identifier for identifying the uniqueness of the transaction request. Therefore, different transaction requests can have different state keys, corresponding transaction data is encrypted by using the different state keys, one state key, namely one time key, can be used for encrypting the transaction data when one transaction request is executed, and the security of the transaction data is improved. Description of the status key will be continued in the following embodiments.
In operation S240, the transaction data is encrypted using a status key corresponding to the transaction request, resulting in encrypted status data.
According to the embodiment of the disclosure, after obtaining the encryption status data, the encryption status data may be written into the blockchain, that is, the encryption status data is uplinked, so as to ensure the security, transparency, and availability of the data.
According to the embodiment of the disclosure, a multi-level key system, namely a root key and a state key system, is adopted, the root key of the block chain network is obtained, then the state key corresponding to the transaction request is obtained through calculation by using the root key, different transaction requests can have different state keys, and corresponding transaction data is encrypted by using different state keys for each transaction, so that one state key is used for encrypting when one transaction request is executed, the diversity and the instantaneity of the key are realized, and the safety of the data is improved.
The method shown in fig. 2 is further described with reference to fig. 3-7 in conjunction with specific embodiments.
Fig. 3 schematically shows a flowchart for obtaining a root key of a blockchain network according to an embodiment of the present disclosure.
As shown in fig. 3, obtaining the root key of the blockchain network includes operations S310 to S320.
In operation S310, a key management chain is called, wherein the block number of the block to which the root key change transaction is written is recorded by the key management chain each time the root key is changed.
According to an embodiment of the present disclosure, for example, the key management chain code records that the block number of the block in which the last root key change transaction is written is M, the root key after the change is S, and when the maximum block number in the front block chain is N, where N > M, and both N and M are integers, then for the block between [ M +1,N ], the root key used in encrypting the transaction in the block is S. If the system root key is changed again and the root key change transaction is written into the (N + 1) th block, then, starting from the (N + 1) th block, the latest root key is used for encrypting the transactions in the block.
According to embodiments of the present disclosure, the present disclosure supports key changes for security considerations, such as key leakage, or periodic key updates. And a self-defined key management chain code is introduced to manage the key change transaction.
According to the embodiment of the disclosure, a user having the authority to change the root key can call the key management chain code by using the client, execute the root key change transaction, and then record the block number of the block in which the root key change transaction is written.
According to an embodiment of the present disclosure, changing the root key may include performing an operational procedure of a root key change transaction as follows.
First, a user requests a node peer through a client to invoke a key management chain code (may be abbreviated as KMCC) to deploy a root key, and puts a root key parameter in a transitionmap (temporary preset area). And then, the KMCC receives the client request, takes out the root key parameter from the TransientMap, writes the root key parameter into the privacy read-write set PravateCollection, and distributes the privacy read-write set to other block chain nodes according to the strategy of the privacy read-write set PravateCollection. Then, the node peer endorses the public read-write set and responds to the client. And after collecting the responses of the endorsement nodes, the client initiates a request to the Order node Order. And the Order node Order receives the request, packs the request into a block after collecting a certain number of transactions, and sends the block to other nodes. Finally, after other nodes receive the block, the block and the affairs in the block are checked, and the read-write set (including the public read-write set and the private read-write set) is submitted to the state database, so that the purpose of changing the root key is achieved. Wherein the public read-write set can be submitted to a public state database and the private read-write set can be submitted to a private state database.
In operation S320, the latest root key is obtained according to the block number of the block in which the latest root key change transaction is written, which is recorded in the key management chain code.
According to the embodiment of the disclosure, for the latest transaction request, the state key corresponding to the transaction request needs to be calculated by using the latest root key. With the embodiments of the present disclosure, it is possible to find a target block according to the block number of the block to which the latest root key change transaction is written, and then read the latest root key from the target block.
By the embodiment of the disclosure, a self-defined key management chain code is introduced to manage key change transactions, support key change, and cope with key leakage or regular key update.
FIG. 4 schematically shows a flow diagram of executing transactional logic corresponding to a transactional request according to an embodiment of the disclosure.
As shown in FIG. 4, executing the transaction logic corresponding to the transaction request includes operations S410-S440.
In operation S410, target historical encryption status data associated with the transaction request is read from the status database.
According to the embodiment of the disclosure, each block chain node has a corresponding state database, and the state database includes historical encrypted state data obtained by encrypting transaction data by using a historical state key.
According to the embodiment of the disclosure, when responding to the current transaction request, the target historical encryption state data related to the current transaction request can be read from the state database, and the target historical encryption state data is data required for executing the latest transaction request. For example, the current transaction request is a transfer transaction request, and encrypted status data associated with the transfer transaction request, such as the balance of the transferring party, historical transaction records, etc., may be read from the status database.
In operation S420, a target history status key corresponding to the target history encryption status data is acquired.
According to the embodiment of the disclosure, since the transaction data corresponding to each transaction request is encrypted by using the corresponding state key, the target history encrypted state data needs to be decrypted by using the target history state key.
In operation S430, the target history encrypted status data is decrypted based on the target history status key, resulting in decrypted status data.
In operation S440, the transaction logic is executed on the decrypted state data, resulting in transaction data.
According to the embodiment of the disclosure, after the transaction data is obtained, the transaction data may be encrypted by using the state key corresponding to the current transaction request, so as to obtain encrypted state data. Finally, the encryption status data is linked up, and meanwhile, the encryption status data and the status key can be stored in a status database.
Fig. 5 schematically illustrates a flowchart of obtaining a target history status key corresponding to target history encrypted status data according to an embodiment of the present disclosure.
According to an embodiment of the present disclosure, the target history state key may be calculated by a target history root key.
According to an embodiment of the present disclosure, each time the root key of the blockchain network is changed, the block number of the block to which the root key change transaction is written may be recorded in the status database. For example, according to the sequence, the block number of the block in which the root key change transaction 1 is written is X, and the changed root key is S1. The block number of the block in which the root key change transaction 2 is written is Y, and the root key after the change is S2. The block number of the block in which the root key change transaction 3 is written is Z, and the root key after the change is S3. Wherein Z > Y > X, and Z, Y, X are integers. Then the root key used to encrypt transactions in the block between [ X +1,Y-1] is S1. In the blocks between [ Y +1,Z-1], the root keys used for encrypting the transactions in the blocks are S2, and in the blocks after Z +1, the root keys used for encrypting the transactions in the blocks are S3.
According to the embodiment of the disclosure, since the block number of the block in which the root key change transaction is written can be recorded in the status database each time the root key of the blockchain network is changed, the target historical root key can be determined from the status database according to the block number of the block in which the transaction that last modified the target historical encryption status data is recorded.
As shown in fig. 5, acquiring the target history status key corresponding to the target history encrypted status data includes operations S510 to S530.
In operation S510, a block number of a block in which a transaction that last modified the target historical encryption status data is recorded is determined.
In operation S520, a target history root key is determined according to a block number of a block in which a transaction that last modified the target history encryption status data is recorded.
According to embodiments of the present disclosure, since multiple modifications may be made to the decrypted target historical encryption state data, each modification transaction is written to a different block. Thus, the target historical root key needs to be determined based on the block number of the block in which the last transaction to modify the target historical encryption status data was recorded.
In operation S530, a target history state key is calculated using the target history root key.
Through the embodiment of the disclosure, a historical key recovery method based on the block chain block number is provided, so that after the root key is changed, the historical encryption state data can still be correctly decrypted.
Fig. 6 schematically shows a flow chart of a data encryption method according to another embodiment of the present disclosure.
As shown in fig. 6, the data encryption method includes operations S610 to S670.
In operation S610, a transaction request from a client is obtained through a user chain code before responding to the transaction request from the client.
According to the embodiment of the disclosure, the client can initiate a transaction request to the Peer node, the Peer node can call the user chain code to execute the transaction, and the user chain code obtains the transaction request initiated by the client.
In operation S620, in response to the transaction request from the client, the transaction logic corresponding to the transaction request is executed, and transaction data is obtained.
According to an embodiment of the disclosure, the user chain code may read encrypted state data corresponding to the transaction request from the state database and invoke the key management chain code according to the last transaction that modified the state data. And acquiring a historical root key from the key management chain code, calculating to obtain a state key according to the historical root key, and decrypting the encrypted state data by using the state key. Or, obtaining a historical root key from the key management chain code, calculating according to the historical root key to obtain a chain code key, calculating according to the chain code key to obtain a corresponding state key, and decrypting the encrypted state data by using the state key. And executing the transaction logic according to the decrypted data. According to an embodiment of the present disclosure, after the transaction logic is executed to obtain the transaction data, operations S630 to S670 may be performed to encrypt the transaction data.
In operation S630, a key management chain code is called by the user chain code.
According to the embodiment of the disclosure, after the transaction logic is executed to obtain the transaction data, the key management chain code may be called again through the user chain code.
In operation S640, a root key of the blockchain network is acquired from the state database through the key management chain code.
In operation S650, a chain code key of the user chain code is acquired.
According to the embodiment of the disclosure, the chain code key of the user chain code can be obtained by calculation according to the root key, and the chain code key of a fixed user chain code can also be preset.
In operation S660, a state key corresponding to the transaction request is calculated by using the chain key and the root key of the user chain.
According to the embodiment of the disclosure, for example, a state key corresponding to the transaction request is calculated by using the chain key, the root key and the transaction identifier of the user chain code.
In operation S670, the transaction data is encrypted using a state key corresponding to the transaction request, resulting in encrypted state data.
According to embodiments of the present disclosure, encrypted state data may be written into a state database. And writing all read-write operations of the state database into a read-write set, and the Peer node endorses the response and responds the endorsement result to the client. The client forwards the endorsement result to a sequencing node (namely an Order node) in a transaction initiating manner, and the Order node packs a certain number of transactions into blocks and forwards the blocks to other nodes for consensus. And after receiving the block, the other nodes verify the block and the transaction in the block, and submit the read-write set to a state database of the other nodes after the verification is passed.
According to the embodiment of the disclosure, a multi-level key system, namely a root key, a chain code key and a state key system, is adopted, the root key of a block chain network and the chain code key of a user chain code are obtained, then the state key corresponding to a transaction request is obtained by utilizing the root key and the chain code key, different transaction requests can have different state keys, corresponding transaction data is encrypted by utilizing different state keys for each transaction, one state key is used for encrypting when one transaction request is executed, the diversity and the instantaneity of the keys are realized, and the security of the data is improved.
The flow chart shown in fig. 6 will be described with reference to the system diagram shown in fig. 7.
Fig. 7 schematically shows a system diagram in which a data encryption method may be performed according to another embodiment of the present disclosure.
As shown in fig. 7, each tile chain node may have a corresponding status database, wherein the status databases may include a public status database and a private status database, each for storing different data, for example, the public status database may be used for storing encrypted status data, and the private status database may be used for storing root keys, although the disclosure is not limited thereto.
According to the embodiment of the disclosure, the node can read the encryption state data from the public state database, and send the encryption state data, the last transaction for modifying the state data and the block number where the transaction is located to the user chain code through the interface.
The user chain code can call a key management chain code, and the root key of the block chain network is obtained from the state database through the key management chain code. For example, the historical root key is retrieved from the privacy state database. The key management chain code records the block number of the root key change in history and the corresponding root key index, determines the root key according to the block number requested by the user chain code, and returns the root key to the user chain code. The user chain code can derive a corresponding state key, and the encrypted state data is decrypted according to the returned state key. Alternatively, the key management chain code may also directly derive the corresponding state key, and send the state key to the user chain code.
According to the embodiment of the disclosure, before encrypting the transaction data, the user chain code may obtain the root key from the key management chain code, and calculate the state key. Or the key management chain code calculates the state key according to the current latest root key and returns the state key to the user chain code, and the user chain code encrypts the state data.
According to the embodiment of the disclosure, the root key can be changed through the key management chain code, the block number of the historical root key change is recorded, and the changed root key is written into the privacy state database.
Fig. 8 schematically illustrates a block diagram of a data encryption system according to an embodiment of the present disclosure.
The data encryption system 800 is applied to any blockchain node in a blockchain network, and as shown in fig. 8, the data encryption system 800 includes an execution module 810, an acquisition module 820, a calculation module 830, and an encryption module 840.
The execution module 810 is configured to respond to the transaction request from the client, and execute the transaction logic corresponding to the transaction request to obtain the transaction data.
The obtaining module 820 is configured to obtain a root key of the blockchain network.
The calculation module 830 is configured to calculate a state key corresponding to the transaction request by using the root key.
The encryption module 840 is configured to encrypt the transaction data by using a status key corresponding to the transaction request, so as to obtain encrypted status data.
According to the embodiment of the disclosure, a multi-level key system is adopted, the root key of the block chain network is obtained, the state key corresponding to the transaction request is obtained through calculation by using the root key, different transaction requests can have different state keys, and for each transaction, the corresponding transaction data is encrypted by using different state keys, so that one state key is used for encrypting when one transaction request is executed, the diversity and the instantaneity of the key are realized, and the data security is improved.
According to an embodiment of the present disclosure, the obtaining module 820 includes a calling unit and a first obtaining unit.
The calling unit is used for calling the key management chain code, wherein in the process of changing the root key each time, the block number of the block written with the root key change transaction is recorded through the key management chain code.
The first obtaining unit is configured to obtain the latest root key according to the block number of the block in which the latest root key change transaction is written, which is recorded in the key management chain code.
According to an embodiment of the present disclosure, each blockchain node has a corresponding state database, where the state database includes historical encrypted state data obtained by encrypting transaction data using a historical state key, and the execution module 810 includes a reading unit, a second obtaining unit, a decryption unit, and an execution unit.
The reading unit is used for reading target historical encryption state data related to the transaction request from the state database.
The second acquisition unit is used for acquiring a target history state key corresponding to the target history encryption state data.
The decryption unit is used for decrypting the target historical encrypted state data based on the target historical state key to obtain decrypted state data.
The execution unit is used for executing the transaction logic on the decryption state data to obtain the transaction data.
According to an embodiment of the present disclosure, the second acquisition unit includes a first determination subunit, a second determination subunit, and a calculation subunit.
The first determining subunit is configured to determine a block number of a block in which a transaction that last modified the target historical encryption status data is recorded.
The second determining subunit is configured to determine the target history root key according to the block number of the block in which the transaction that last modified the target history encryption status data is recorded.
And the calculation subunit is used for calculating a target history state key by using the target history root key.
According to the embodiment of the disclosure, before responding to the transaction request from the client, the transaction request from the client is acquired through the user chain code.
The obtaining module 820 is configured to invoke the key management chain code through the user chain code, and obtain the root key of the blockchain network from the status database through the key management chain code.
The calculating module 830 is further configured to obtain a chain code key of the user chain code, and calculate a state key corresponding to the transaction request by using the chain code key and the root key of the user chain code.
According to an embodiment of the present disclosure, the calculating module 830 is configured to calculate, by using the root key and the transaction identifier corresponding to the transaction request, a status key corresponding to the transaction request.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any of the execution module 810, the obtaining module 820, the calculation module 830, and the encryption module 840 may be combined into one module to be implemented, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the disclosure, at least one of the executing module 810, the obtaining module 820, the calculating module 830 and the encrypting module 840 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented by any one of three implementations of software, hardware and firmware, or any suitable combination of any of the three. Alternatively, at least one of the execution module 810, the obtaining module 820, the calculation module 830 and the encryption module 840 may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
According to an embodiment of the present disclosure, there is also provided a computer system applied to any one blockchain node in a blockchain network, the computer system including: a processor; a computer readable storage medium storing one or more programs, which when executed by a processor, cause the processor to implement the data encryption methods provided by the present disclosure.
There is also provided, in accordance with an embodiment of the present disclosure, a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement a data encryption method provided by the present disclosure.
FIG. 9 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method according to an embodiment of the present disclosure. The computer system illustrated in FIG. 9 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 9, computer system 900 includes a processor 910 and a computer-readable storage medium 920. The computer system 900 may perform a method according to an embodiment of the disclosure.
In particular, processor 910 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 910 may also include onboard memory for caching purposes. The processor 910 may be a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
Computer-readable storage media 920, such as may be non-volatile computer-readable storage media, specific examples include, but are not limited to: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and so on.
The computer-readable storage medium 920 may include a computer program 921, which computer program 921 may include code/computer-executable instructions that, when executed by the processor 910, cause the processor 910 to perform a method according to an embodiment of the present disclosure, or any variation thereof.
The computer program 921 may be configured with computer program code, for example, comprising computer program modules. For example, in an example embodiment, code in computer program 921 may include one or more program modules, including, for example, 921A, modules 921B, … …. It should be noted that the division and number of the modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, and when the program modules are executed by the processor 910, the processor 910 may execute the method according to the embodiment of the present disclosure or any variation thereof.
According to an embodiment of the present invention, at least one of the execution module 810, the obtaining module 820, the calculation module 830 and the encryption module 840 may be implemented as a computer program module described with reference to fig. 9, which, when executed by the processor 910, may implement the corresponding operations described above.
The present disclosure also provides a readable storage medium, which may be contained in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the readable storage medium may be a non-volatile computer readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.

Claims (8)

1. A data encryption method applied to any blockchain node in a blockchain network, the method comprising:
responding to a transaction request from a client, and executing a transaction logic corresponding to the transaction request to obtain transaction data;
acquiring a root key of the block chain network;
calculating by using the root key to obtain a state key corresponding to the transaction request; and
encrypting the transaction data by using a state key corresponding to the transaction request to obtain encrypted state data;
each block link node is provided with a corresponding state database, and the state database comprises historical encryption state data obtained by encrypting transaction data by using a historical state key;
the executing the transaction logic corresponding to the transaction request to obtain the transaction data comprises:
reading target historical encryption state data related to the transaction request from the state database;
acquiring a target historical state key corresponding to the target historical encryption state data;
decrypting the target historical encrypted state data based on the target historical state key to obtain decrypted state data; and
executing transaction logic on the decrypted state data to obtain the transaction data;
wherein the obtaining of the target history status key corresponding to the target history encryption status data comprises:
determining a block number of a block in which a transaction that last modified the target historical encryption status data was recorded;
determining a target historical root key according to the block number of the block recording the transaction which modifies the target historical encryption state data for the last time; and
and calculating the target history state key by using the target history root key.
2. The method of claim 1, wherein obtaining a root key of the blockchain network comprises:
calling a key management chain code, wherein in the process of changing the root key each time, the block number of the block written with the root key change transaction is recorded through the key management chain code; and
and acquiring the latest root key according to the block number of the block written with the latest root key change transaction recorded in the key management chain code.
3. The method of claim 1, wherein prior to responding to a transaction request from a client, the transaction request from the client is obtained via a user chain code;
wherein obtaining the root key of the blockchain network comprises:
calling a key management chain code through the user chain code; and
acquiring a root key of the block chain network from a state database through the key management chain code;
wherein the obtaining of the state key corresponding to the transaction request by using the root key comprises:
acquiring a chain code key of the user chain code; and
and calculating to obtain a state key corresponding to the transaction request by using the chain code key of the user chain code and the root key.
4. The method of claim 1, wherein calculating a state key corresponding to the transaction request using the root key comprises:
and calculating to obtain a state key corresponding to the transaction request by using the root key and the transaction identifier corresponding to the transaction request.
5. A data encryption system for use in any blockchain node in a blockchain network, the system comprising:
the execution module is used for responding to a transaction request from a client and executing a transaction logic corresponding to the transaction request to obtain transaction data;
an obtaining module, configured to obtain a root key of the blockchain network;
the computing module is used for computing a state key corresponding to the transaction request by utilizing the root key; and
the encryption module is used for encrypting the transaction data by using a state key corresponding to the transaction request to obtain encrypted state data;
each block chain node is provided with a corresponding state database, and the state database comprises historical encrypted state data obtained by encrypting transaction data by adopting a historical state key;
the execution module comprises:
a reading unit, configured to read target historical encryption status data related to the transaction request from the status database;
a second acquisition unit configured to acquire a target history status key corresponding to the target history encryption status data;
the decryption unit is used for decrypting the target historical encrypted state data based on the target historical state key to obtain decrypted state data; and
the execution unit is used for executing transaction logic on the decryption state data to obtain the transaction data;
wherein the second acquisition unit includes:
a first determining subunit, configured to determine a block number of a block in which a transaction that last modified the target historical encryption state data is recorded;
a second determining subunit, configured to determine a target history root key according to the block number of the block in which the transaction that modified the target history encryption status data last time is recorded; and
and the calculation subunit is used for calculating the target history state key by using the target history root key.
6. The system of claim 5, wherein the acquisition module comprises:
the system comprises a calling unit, a processing unit and a processing unit, wherein the calling unit is used for calling a key management chain code, and in the process of changing a root key each time, the key management chain code records the block number of a block written with a root key change transaction; and
a first obtaining unit, configured to obtain a latest root key according to the block number of the block in which the latest root key change transaction is written, which is recorded in the key management chain code.
7. A computer system for use in any blockchain node in a blockchain network, the computer system comprising:
a processor;
a computer-readable storage medium for storing one or more programs,
wherein the one or more programs, when executed by the processor, cause the processor to implement the method of any of claims 1-4.
8. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 4.
CN202010149130.7A 2020-03-05 2020-03-05 Data encryption method, system, computer system and computer readable storage medium Active CN111291399B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010149130.7A CN111291399B (en) 2020-03-05 2020-03-05 Data encryption method, system, computer system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010149130.7A CN111291399B (en) 2020-03-05 2020-03-05 Data encryption method, system, computer system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN111291399A CN111291399A (en) 2020-06-16
CN111291399B true CN111291399B (en) 2023-01-17

Family

ID=71026936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010149130.7A Active CN111291399B (en) 2020-03-05 2020-03-05 Data encryption method, system, computer system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111291399B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113112354A (en) * 2021-03-04 2021-07-13 卓尔智联(武汉)研究院有限公司 Transaction processing method of block chain network, block chain network and storage medium
WO2022193119A1 (en) * 2021-03-16 2022-09-22 中国科学院深圳先进技术研究院 Blockchain data protection method and system
CN112968904B (en) * 2021-03-16 2022-09-06 中国科学院深圳先进技术研究院 Block chain data protection method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108596588A (en) * 2018-04-28 2018-09-28 百度在线网络技术(北京)有限公司 A kind of processing method of block data, device, computing device and storage medium
CN109345242A (en) * 2018-09-18 2019-02-15 百度在线网络技术(北京)有限公司 Key storage, update method, device, equipment and medium based on block chain
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN110188545A (en) * 2019-04-26 2019-08-30 特斯联(北京)科技有限公司 A kind of data ciphering method and device based on chain database

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9992028B2 (en) * 2015-11-26 2018-06-05 International Business Machines Corporation System, method, and computer program product for privacy-preserving transaction validation mechanisms for smart contracts that are included in a ledger

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108596588A (en) * 2018-04-28 2018-09-28 百度在线网络技术(北京)有限公司 A kind of processing method of block data, device, computing device and storage medium
CN109345242A (en) * 2018-09-18 2019-02-15 百度在线网络技术(北京)有限公司 Key storage, update method, device, equipment and medium based on block chain
CN109831298A (en) * 2019-01-31 2019-05-31 阿里巴巴集团控股有限公司 The method of security update key and node, storage medium in block chain
CN110188545A (en) * 2019-04-26 2019-08-30 特斯联(北京)科技有限公司 A kind of data ciphering method and device based on chain database

Also Published As

Publication number Publication date
CN111291399A (en) 2020-06-16

Similar Documents

Publication Publication Date Title
CN113438289B (en) Block chain data processing method and device based on cloud computing
US11178121B2 (en) Secure software updates
CN110457875B (en) Data authorization method and device based on block chain
CN110473094B (en) Data authorization method and device based on block chain
US8411863B2 (en) Full volume encryption in a clustered environment
CN111291399B (en) Data encryption method, system, computer system and computer readable storage medium
CN110266659B (en) Data processing method and equipment
CN102208001B (en) The virtual cryptographic service of hardware supported
JP5196883B2 (en) Information security apparatus and information security system
EP3813292A1 (en) Blockchain-based service data encryption method and apparatus
CN111008228A (en) Method and device for inquiring account privacy information in block chain
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
JP6543743B1 (en) Management program
US11720689B2 (en) Data registration method, data decryption method, data structure, computer, and program
US11917088B2 (en) Integrating device identity into a permissioning framework of a blockchain
US11343072B2 (en) Method and apparatus for providing service using kiosk
CN109657492A (en) Data base management method, medium and electronic equipment
US8972732B2 (en) Offline data access using trusted hardware
CN115033919A (en) Data acquisition method, device and equipment based on trusted equipment
US20230138102A1 (en) Method and system for managing decentralized data using attribute-based encryption
WO2021169767A1 (en) Data processing method and apparatus, device and medium
KR102622665B1 (en) Method and apparatus for managing data based on blockchain
US11349641B2 (en) Information processing device, information processing method, and recording medium
JP2006172351A (en) Method and system for content expiration date management by use of removable medium
WO2022121673A1 (en) Decentralized broadcast encryption and key generation facility

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant