CN111400728A - Data encryption and decryption method and device applied to block chain - Google Patents

Data encryption and decryption method and device applied to block chain Download PDF

Info

Publication number
CN111400728A
CN111400728A CN202010149278.0A CN202010149278A CN111400728A CN 111400728 A CN111400728 A CN 111400728A CN 202010149278 A CN202010149278 A CN 202010149278A CN 111400728 A CN111400728 A CN 111400728A
Authority
CN
China
Prior art keywords
data
level
ciphertext data
field
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010149278.0A
Other languages
Chinese (zh)
Inventor
朱江
高波
夏雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202010149278.0A priority Critical patent/CN111400728A/en
Publication of CN111400728A publication Critical patent/CN111400728A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data encryption and decryption method and device applied to a block chain, and relates to the technical field of block chains, wherein the data encryption method comprises the following steps: acquiring plaintext data to be encrypted; performing field-level encryption and/or line-level encryption on the plaintext data to generate ciphertext data; generating an authorization relation table of the ciphertext data; wherein, the field level viewing authority and/or row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table; and storing the ciphertext data and the authorization relation table to a block chain. The invention optimizes the technical problem of lower fine granularity of the data access authority in the block chain.

Description

Data encryption and decryption method and device applied to block chain
Technical Field
The present invention relates to the field of block chain technologies, and in particular, to a data encryption and decryption method and apparatus applied to a block chain.
Background
With the advent of cloud computing and big data era, the rapid growth and spread of data magnitude places higher demands on data privacy protection. A new trust system is established by the block chain technology, and the block chain technology guarantees the safety of user data through the characteristics of a data structure which cannot be tampered, an advanced consensus algorithm, data auditability on a chain and the like. However, the data on the blockchain is completely disclosed in the nodes of the participating parties, and the requirements in certain specific scenarios cannot be met.
The traditional cloud data privacy protection scheme is not suitable for being directly moved to a block chain, so that the trust basis of all parties participating in the block chain is obviously reduced, and the fine granularity of data access authority is low.
Disclosure of Invention
The invention aims to provide a data encryption and decryption method and device applied to a block chain, so as to solve the technical problem that the fine granularity of data access permission in the block chain is low.
In a first aspect, an embodiment of the present invention provides a data encryption method applied to a block chain, including:
acquiring plaintext data to be encrypted;
performing field-level encryption and/or line-level encryption on the plaintext data to generate ciphertext data;
generating an authorization relation table of the ciphertext data; wherein, the field level viewing authority and/or row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table;
and storing the ciphertext data and the authorization relation table to a block chain.
In a possible implementation manner, after the step of obtaining the plaintext data to be encrypted, the method further includes:
acquiring the data type of the plaintext data;
and determining the encryption type of the plaintext data according to the data type.
In a possible implementation manner, the step of generating the authorization relationship table of the ciphertext data includes:
acquiring a plurality of identity marks related to the ciphertext data;
determining field level viewing authority and/or row level viewing authority of each identity-identified user on the ciphertext data;
and respectively generating an authorization relation form recorded with field level viewing authority and/or line level viewing authority of the ciphertext data for each identity-identified user.
In a possible embodiment, the step of performing field-level encryption and/or line-level encryption on the plaintext data to generate ciphertext data includes:
performing field-level encryption on the plaintext data to generate preliminary ciphertext data;
and performing level encryption on the preliminary ciphertext data to generate ciphertext data.
In a second aspect, an embodiment of the present invention further provides a data decryption method applied to a block chain, where the method includes:
acquiring the identity of a visiting user of the ciphertext data;
inquiring an authorization relation table according to the identity, and obtaining field level viewing permission and/or row level viewing permission of the visiting user to the ciphertext data, wherein the field level viewing permission and/or row level viewing permission of the visiting user to the ciphertext data are recorded in the authorization relation table;
and decrypting the ciphertext data according to the field level viewing authority and/or the line level viewing authority of the visitor to the ciphertext data to generate decrypted data.
In a possible implementation manner, the step of obtaining the field-level viewing right and/or the row-level viewing right of the visitor to the ciphertext data by querying the authorization relationship table according to the identity includes:
inquiring an authorization relation table corresponding to the identity in an authorization relation table according to the identity;
inquiring from the authorization relation form, wherein the visiting user has a viewing authority for each field of the ciphertext data; and/or inquiring from the authorization relation form, wherein the visiting user has the view right of each line of the ciphertext data.
In a possible implementation manner, the decrypting the ciphertext data according to the field-level viewing right and/or the line-level viewing right of the visiting user to the ciphertext data to generate decrypted data includes:
when the visiting user has field level viewing right and line level viewing right, performing line level decryption on the ciphertext data to generate preliminary decryption data;
and carrying out field-level decryption on the preliminary decrypted data to generate decrypted data.
In one possible embodiment, the method further comprises:
transmitting the decrypted data to the client of the visiting user.
In a third aspect, an embodiment of the present invention provides a data encryption apparatus applied to a block chain, including:
the acquisition module is used for acquiring plaintext data to be encrypted;
the encryption module is used for carrying out field level encryption and/or line level encryption on the plaintext data to generate ciphertext data;
the authorization relation module is used for generating an authorization relation table of the ciphertext data; wherein, the field level viewing authority and/or row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table;
and the transmission module is used for storing the ciphertext data and the authorization relation table to a block chain.
In a fourth aspect, an embodiment of the present invention further provides a data decryption apparatus applied to a block chain, where the data decryption apparatus includes:
the acquisition module is used for acquiring the identity of a visiting user of the ciphertext data;
the query module is used for querying an authorization relation table according to the identity to obtain field level viewing permission and/or row level viewing permission of the visiting user on the ciphertext data;
and the decryption module is used for decrypting the ciphertext data according to the field level viewing authority and/or the line level viewing authority of the visitor to the ciphertext data to generate decrypted data.
In a fifth aspect, an embodiment of the present invention provides an electronic device, which includes a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method when executing the computer program.
In a sixth aspect, embodiments of the present invention provide a computer-readable storage medium storing machine executable instructions that, when invoked and executed by a processor, cause the processor to perform the method described above.
In the data encryption method applied to the block chain provided by the embodiment of the invention, plaintext data to be encrypted is firstly obtained, field-level encryption and/or line-level encryption are/is performed on the plaintext data, and ciphertext data is generated, that is, only field-level encryption or only line-level encryption can be performed, and both field-level encryption and line-level encryption can be performed. And then generating an authorization relation table of the ciphertext data, and storing the ciphertext data and the authorization relation table to the block chain. The authorization relation table records field level viewing authority and/or row level viewing authority of users with different identity identifications to the ciphertext data.
In the data decryption method applied to the block chain provided by the embodiment of the invention, the authorization relation table can be queried according to the identity, the field level viewing authority and/or the row level viewing authority of the ciphertext data of the visiting user can be obtained, and the ciphertext data can be decrypted by the field level viewing authority and/or the row level viewing authority, so that the decryption data required by the visiting user can be generated.
According to the embodiment of the invention, field-level encryption and/or line-level encryption are carried out on plaintext data to generate ciphertext data, and the corresponding relation is formed between the identity of the user and the viewing authority of the ciphertext data, so that the viewing authority of each user on the ciphertext data can be refined to each line and/or each field, and the technical problem of low fine granularity of data access authority in a block chain is optimized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a data encryption method applied to a blockchain according to an embodiment of the present invention;
FIG. 2 is a detailed flowchart of step S104 according to an embodiment of the present invention;
fig. 3 is a flowchart of a data decryption method applied to a blockchain according to an embodiment of the present invention;
FIG. 4 is a detailed flowchart of step S302 according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a data encryption apparatus applied to a blockchain according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a data decryption apparatus applied to a block chain according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of an electronic device provided by an embodiment of the invention;
FIG. 8 is a diagram illustrating an encryption and decryption process according to an embodiment of the present invention;
FIG. 9 is a diagram illustrating the detailed process of encryption in an embodiment of the present invention;
fig. 10 is a diagram illustrating a detailed decryption process according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "comprising" and "having," and any variations thereof, as referred to in embodiments of the present invention, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
At present, data on a block chain is completely disclosed in nodes of participating parties, but a traditional cloud data privacy protection scheme is not suitable for being directly moved to the block chain, so that the trust basis of the participating parties in the block chain is obviously reduced, and the fine granularity of data access authority is low.
There are two main types of existing implementations:
the first scheme is as follows: and the authorizing party symmetrically encrypts the data and stores the data in the block chain, and performs trusted key exchange on line to share and authorize the file.
Scheme II: the authorization party uses the public key of the access party to carry out asymmetric encryption on the uplink data, and the data use party uses the private key of the data use party to carry out decryption, thereby realizing the authorization of the data.
In the first scheme, if each piece of data is encrypted symmetrically, fine-grained encryption cannot be achieved, and thus field-level access authority cannot be granted, for example, an authorizer only controls an accessor to see the document, but cannot achieve access authority for a certain chapter in the document. And the key agreement cost of both parties of file authorization is higher, need establish both parties' credible communication channel before authorizing. And the revocation of late-stage rights is also costly once access authorization is made.
In the second scheme, the authorizer encrypts the data by using the public key of the access party, so that the security and privacy of the data can be effectively protected, and the key exchange under the link is not needed, but the authorizers are in a one-to-one mode, that is, if the authorizer A authorizes the access party A, the public key of the access party A needs to be used for encrypting the data, each different access party needs to be encrypted by using a different public key, and the repeated encryption process wastes physical resources and reduces the storage efficiency of the data on the link.
The embodiment of the invention provides a data encryption method applied to a block chain, which can be particularly applied to an authorized party in the block chain.
As shown in fig. 1, 8 and 9, the data encryption method includes the steps of:
s101: plaintext data to be encrypted is acquired.
According to the uplink request of the authorizer, the data to be uplink is obtained from the authorizer, and the data is not encrypted yet and is plaintext data.
In a possible implementation manner, after the step S101, the method further includes:
s101.1: the data type of the plaintext data is obtained.
The data type is equivalent to the role of the data, represents the importance degree of the plaintext data, and accordingly determines the encryption type required by the plaintext data.
S101.2: and determining the encryption type of the plaintext data according to the data type.
The encryption type may specifically be field level encryption, line level encryption or double encryption at field level and line level.
It should be noted that the above steps S101.1 and S101.2 are optional steps, and may not be necessarily performed in some cases.
S102: and carrying out field-level encryption on the plaintext data to generate preliminary ciphertext data.
The field-level encryption and the authorized access thereof mean that function conversion is carried out on plaintext data through a secret key before uplink, and longitudinal data are changed into meaningless ciphertext to obtain preliminary ciphertext data, namely the ciphertext data after the field-level encryption. And the authorized access party can restore the ciphertext into plaintext data through a decryption function through the secret key. The vertical data may be key-value (key-value) type data.
S103: and carrying out level encryption on the plaintext data to generate ciphertext data.
The same principle is adopted for the row-level encryption and the authorized access, before chaining the plaintext data, the plaintext data is subjected to function conversion through a secret key, and then the transverse data is changed into meaningless ciphertext to obtain final ciphertext data, namely the ciphertext data after the row-level encryption. Similarly, the authorized access party can restore the ciphertext to the preliminary ciphertext data through the key after passing through the decryption function. Wherein, the horizontal data generally refers to user name, age, gender, etc.
Since the present embodiment employs double encryption at the field level and the line level, the encryption process is as described above in step S102 and step S103. In other embodiments, only one encryption may be required according to the usage requirement of the actual scene, for example, only step S102 may be performed for field-level encryption, or only step S103 may be performed for line-level encryption.
S104: and generating an authorization relation table of the ciphertext data.
And the field level viewing authority and the row level viewing authority of the users with different identity identifications on the ciphertext data are recorded in the authorization relation table. As shown in fig. 2, in a possible implementation, the step S104 may include the following steps:
s1041: and acquiring various identification marks related to the ciphertext data.
For example, for a ciphertext data, the access party may be various identifiers such as an administrator, a maintainer, a common user, and the like, each identifier corresponds to a different access right, for example, the administrator has a right to see all data, the maintainer can see most data except key information, and the common user can see only a small part of data.
S1042: and determining field level viewing authority and row level viewing authority of each identity user to the ciphertext data.
Because the present embodiment adopts field-level and line-level dual encryption, when the ciphertext data is restored, the restoration of the line-level data and the field-level data can be determined according to the authorization relationship. For example, user A has the right to restore all of the row-level data and field-level data, and user B can only restore a portion of the row-level data and field-level data.
S1043: and respectively generating an authorization relation form in which field level viewing permission and row level viewing permission of the ciphertext data are recorded for each user of the identity.
The finally generated authorization relation table is composed of a plurality of authorization relation forms, each authorization relation form records an authorization relation of an identity, and the authorization relation is divided into field level viewing authority and row level viewing authority.
In this embodiment, a two-dimensional matrix is used to record an authorization relationship of an identity, that is, the two-dimensional matrix is an authorization relationship form. For example, as shown in the following two-dimensional matrix, for ciphertext data having 4 rows and 4 fields per row, the two-dimensional matrix includes row-level viewing permissions and field-level viewing permissions of a certain user. If the corresponding value in the two-dimensional matrix is 1, the viewing permission of the field is shown, and the corresponding data field can be decrypted and displayed to the plaintext corresponding to the user; if the corresponding value in the two-dimensional matrix is 0, it indicates that there is no viewing authority of this field in this row, and decryption cannot be performed.
Field level Field level Field level Field level
Line level 0 0 1 0
Line level 0 1 1 0
Line level 1 0 1 1
Line level 0 0 0 0
It should be understood that, in other embodiments, if only the field-level encryption of step S102 is performed, only the field-level viewing rights of users with different identities to the ciphertext data are recorded in the authorization relationship table. Of course, if only the row-level encryption of step S103 is performed, only the row-level viewing authority of the user with different id for the ciphertext data will be recorded in the authorization relationship table.
S105: and storing the ciphertext data and the authorization relation table to the block chain.
The ciphertext data and the authorization relation table are stored in the block chain, the storage of the authorization relation table is particularly described here, the authorization relation table is stored in the block chain and cannot be changed randomly, and the updating of the authorization relation table also needs to carry out the steps of chain linking, endorsement, consensus participation and the like, so that the safety of data storage is further improved.
The embodiment of the invention also provides a data decryption method applied to the block chain, and the data decryption method can be particularly applied to an access party in the block chain.
As shown in fig. 3, 8 and 10, the data decryption method includes the steps of:
s301: and acquiring the identity of the visiting user of the ciphertext data.
According to the reading request of the visiting user (access party), the identity of the visiting user is obtained, such as an administrator, a maintainer, a common user and the like.
S302: and inquiring the authorization relation table according to the identity identification to obtain the field level viewing authority and the row level viewing authority of the visiting user to the ciphertext data.
Wherein, the field level viewing authority and the row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table. As shown in fig. 4, in one possible implementation, the step S302 may include the following steps:
s3021: and inquiring an authorization relation table corresponding to the identity identifier in the authorization relation table according to the identity identifier.
And according to the identity, inquiring a corresponding authorization relation table from the authorization relation table, namely inquiring a two-dimensional matrix corresponding to the identity.
S3022: and inquiring from the authorization relation form, wherein the visiting user has the viewing authority of each field and each line of the ciphertext data.
And inquiring the field-level viewing authority and the line-level viewing authority of the visiting user on the ciphertext data from the two-dimensional matrix obtained in the step S3021, wherein the fine granularity of the field-level viewing authority and the line-level viewing authority can reach the viewing authority of each field and the viewing authority of each line. In the two-dimensional matrix of the above embodiment, a value of 1 indicates that the visiting user has the viewing right of the field and the row, and a value of 0 indicates that there is no viewing right.
It should be understood that in other embodiments, if the ciphertext data is only encrypted at field level, this step may only query the field-level viewing right of the ciphertext data from the visiting user from the authorization relationship table. Of course, if the ciphertext data is only encrypted at row level, the step only queries the row-level viewing right of the ciphertext data from the authorization relationship table.
S303: and decrypting the ciphertext data according to the field level viewing authority and the line level viewing authority of the visiting user to the ciphertext data to generate decrypted data.
For example, if the visiting user has the row-level data viewing authority according to the query in the authorization relation table, the ciphertext data is subjected to row-level decryption and is restored to be the primary decrypted data. And then, if the visiting user has field level data viewing authority according to the query in the authorization relation table, field level decryption is carried out on the ciphertext data, and the ciphertext data is restored into plaintext data.
In the above case where the visiting user has the field-level viewing right and the line-level viewing right, if the user only has the line-level viewing right, the user can only obtain the preliminary decrypted data.
Further, the data decryption method provided in this embodiment may further include the following steps:
s304: and transmitting the decrypted data to the client of the visiting user.
Through the steps, the decrypted plaintext data or part of the plaintext data, namely the decrypted data, can be obtained according to the identity of the visiting user, and then the decrypted data is transmitted to the client of the visiting user, so that the aim of enabling the visiting user to check the row-level data and the field-level data can be achieved, and the safe storage and transmission of the data in the block chain are realized.
The data encryption method provided by the embodiment of the invention can be implemented based on a block chain as service (BaaS), for example, a block chain cloud service platform based on BaaS, and the block chain cloud service platform can help developers to quickly construct a block chain infrastructure and provide a whole set of solution for block chain application development, deployment, testing and monitoring.
The main functions of the block chain cloud service platform comprise:
and deploying as required, selecting block chain configuration as required, and building a block chain network by one key.
And the block browser is used for visually displaying the account book information such as nodes, blocks, transactions, assets and the like.
Contract IDE (Integrated Drive Electronics), Intelligent contract one-stop management, including last-time, edit, compile, and deploy.
An Application Program Interface (API) call, providing a Restful API Interface, and visually calling and debugging.
The method comprises the steps of account and certification management, anonymous account creation in asset management, and custom certification issuing and circulation.
And log query, namely monitoring log information of each node of the block chain in real time to check.
In the data encryption method and the data decryption method applied to the block chain provided by the embodiment of the invention, field-level encryption and line-level encryption are carried out on plaintext data to generate ciphertext data, and the corresponding relation is formed between the identity of a user and the viewing authority of the ciphertext data, so that the viewing authority of each user on the ciphertext data can be thinned to each line and each field, and the technical problem of low fine granularity of data access authority in the block chain is optimized.
Compared with the two existing schemes, although data in the block chain is publicly accessible, after the line-level encryption and the field-level encryption are introduced, only the specified visiting user can remove the encryption of the field and obtain plaintext data, the security of the data and the privacy of the data are effectively guaranteed, and meanwhile, the authorization function with higher fine granularity is achieved. In addition, the embodiment of the invention stores the authorization relationship of different users by utilizing the authorization relationship table, thereby reducing the negotiation cost between the authorization party and the access party and improving the storage efficiency of data on the block chain.
The embodiment of the invention divides the key sensitive fields in the database into different levels according to the security requirements, encrypts the key sensitive fields by using a symmetric encryption algorithm in different levels, and protects the data keys by using an elliptic curve encryption algorithm. The symmetric encryption algorithm, the elliptic curve public key encryption algorithm and the one-way function are organically combined, and the association between the user permission and the security level of the key sensitive field is realized. The encryption database established by the scheme can not only ensure the confidentiality and the integrity of sensitive data, but also save a large amount of storage space and support access of different levels of authority, thereby ensuring the high-efficiency availability of the database. The specific implementation process of the scheme mainly comprises the following two aspects:
database encryption scheme
The encryption scheme consists of 4 stages of system initialization, data key field encryption in a database, safe storage of a data encryption key and decryption of a data encryption field.
1. System initialization
Let E be the elliptic curve on Ep, P be the point on E (fp), and let P be the prime number n, then the set (P) — (0P, 2P, 3P, …, (n-l) P) is the elliptic curve cyclic subgroup generated by P. The prime number P, the elliptic curve equation E, the point P and the order n constitute a public parameter set. The private key of the user Ui is a positive integer d randomly selected within the interval l, n-l, and the corresponding public key is Qi ═ dP. And storing the set of elliptic curve parameters (P, E, P, n) in a database.
2. Encryption of data key fields in a database
Let Data-term-z represent that the first field of each record in Data belongs to sensitive information, and need to be stored in a database in a ciphertext way, so that the first field of each record in Data is invisible (i.e. inaccessible) to general users, and can only be accessed by users reaching the level. α fields of Data-term-l lambda (lambda is 1, 2, …, d) in a record in Data belong to sensitive information, and the security level requirements of the records from high to low are respectively Data-term-l1, Data-term-l2, … and Data-term-l α, the database stores Data in the following way:
(1) randomly selecting ko ∈ {0,1k }, and calculating the ko ∈ {0,1k } as an encryption key of a field Data-term-l lambda;
(2) encrypting the Data by using a key k lambda to obtain a ciphertext CData-term-l lambda (Data-term-l lambda) of the Data-term-l lambda;
(3) the sensitive information field Data-term-l lambda (lambda is 1, 2, …, α) of the Data is stored in the database as ciphertext CData-term-l lambda, and the rest of the field information is still stored in plaintext.
3. Secure storage of database data encryption keys
If the user Uj is authorized, the highest level of the encrypted fields capable of accessing the Data is Data-term-l η, namely, the encrypted fields can only be accessed, namely, the Data-term-l η, … and Data-term-l α, wherein 1< η is not more than α, the field encryption key k lambda of the Data is stored by the server Ui according to the following operations:
(1) reading a public key Qj corresponding to the identity IDj of the Uj and a system public parameter params from a system public file;
(2) r ∈ [ l, n-l ] is randomly and uniformly selected, and a private key Sj is used for calculating C1 ═ rp and C2 ═ k η + rQj;
(3) the ciphertext c ═ (CI, G) is stored in the same database as the Data.
4. Decryption of data encryption fields
When Uj wants to access the secret field of Data, it first gets (C1, Q) from the encrypted database, and then proceeds as follows:
(1) calculating a decryption key k ═ C2-dC1 by using a private key d, (C1, C2) of the user Uj and a public parameter group;
(2) calculating decryption keys of encryption fields CData-term-l η, … and CData-term-l α by using k respectively, wherein the value of η is more than or equal to tau is less than or equal to α;
(3) the encrypted field CData-term-l tau of the Data is decrypted by the key k tau respectively to obtain the plaintext Data-term-l tau (CData-term-l tau) of the field, wherein η is less than or equal to tau is less than or equal to α.
In the above scheme, the legal access area of the authorized user Uj is the encrypted field CData-term-l τ, where η ≦ τ ≦ α. Uj cannot access the encrypted field CData-term-l τ that is only accessed by high security level authorized users, l ≦ τ ≦ η -1. H2(.) is a secure one-way Hash function, therefore, it is a difficult problem for Uj to solve k η -1 from k η ═ H2(k η -1) according to k η.
Analysis of key sensitive field grading encryption scheme of database
The scheme is based on the discrete logarithm problem of the elliptic curve and the safety hypothesis of the Hash function, and the safety and efficiency analysis is as follows:
(1) the method can ensure that a plurality of authorized users have shared access to the same encrypted field, and the access is classified, only the user level of a higher layer can access the next layer, Uj solves k η -1 from k η ═ H2(k η -1) according to k η, which is a difficult problem.
(2) The key of other sensitive fields in the same level is obtained through k η, so that one word and one secret are ensured, and meanwhile, k η is encrypted by an elliptic curve encryption algorithm, an attacker faces the problem of elliptic curve logarithm, so that an illegal user can be prevented from randomly encrypting and decrypting data of the database, and the integrity of the data is ensured.
(3) Can resist known ciphertext attack. It is known that ciphertext attacks are based on a large amount of data using the same key, and if data is encrypted using a plurality of different keys, the amount of data encrypted by each key is small, thereby limiting the effectiveness of such attacks.
(4) Compared with the current general RSA encryption scheme with the key length of 1024 bits, the scheme uses an elliptic curve encryption algorithm to achieve the same security, the key length only needs 160 bits, the key length of each user is only about 15.7% of the RSA scheme, in addition, keys of other sensitive fields in the same level are obtained through k η, one word and one secret are guaranteed, meanwhile, the database only needs to store one key of the user, the storage space is greatly saved, and when the system loads the key, the processing load can be reduced, so that the encryption and decryption speed is higher.
The embodiment of the invention provides a data encryption device applied to a block chain, which can be particularly applied to an authorized party in the block chain. As shown in fig. 5, the data encryption apparatus includes:
an obtaining module 501, configured to obtain plaintext data to be encrypted.
The encryption module 502 is configured to perform field-level encryption and/or line-level encryption on plaintext data to generate ciphertext data.
An authorization relationship module 503, configured to generate an authorization relationship table of the ciphertext data; and the field level viewing authority and/or the row level viewing authority of the users with different identity identifications on the ciphertext data are recorded in the authorization relation table.
The transmission module 504 is configured to store the ciphertext data and the authorization relationship table in the blockchain.
The embodiment of the invention also provides a data decryption device applied to the block chain, and the data decryption device can be particularly applied to an access party in the block chain. As shown in fig. 6, the data decryption apparatus includes:
the obtaining module 601 is configured to obtain an identity of a visiting user of the ciphertext data.
The query module 602 is configured to query the authorization relationship table according to the identity, and obtain field-level viewing permissions and/or row-level viewing permissions of the visiting user on the ciphertext data.
The decryption module 603 is configured to decrypt the ciphertext data according to the field-level viewing right and/or the line-level viewing right of the ciphertext data by the visiting user, and generate decrypted data.
The data encryption device and the data decryption device applied to the block chain provided by the embodiment of the invention have the same technical characteristics as the data encryption method and the data decryption method applied to the block chain provided by the embodiment, so that the same technical problems can be solved, and the same technical effect can be achieved.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present invention includes a memory 701 and a processor 702, where the memory stores a computer program that is executable on the processor, and the processor executes the computer program to implement the steps of the method according to the above-mentioned embodiment.
As shown in fig. 7, the electronic device further includes: a bus 703 and a communication interface 704, and the processor 702, the communication interface 704, and the memory 701 are connected by the bus 703; the processor 702 is configured to execute executable modules, such as computer programs, stored in the memory 701.
The Memory 701 may include a high-speed Random Access Memory (RAM), and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 704 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
Bus 703 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 7, but this does not indicate only one bus or one type of bus.
The memory 701 is used for storing a program, the processor 702 executes the program after receiving an execution instruction, and the method performed by the apparatus defined by the process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 702, or implemented by the processor 702.
The processor 702 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 702. The Processor 702 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 701, and the processor 702 reads the information in the memory 701, and completes the steps of the method in combination with the hardware thereof.
Corresponding to the real-time data processing method, an embodiment of the present invention further provides a computer-readable storage medium, where machine executable instructions are stored, and when the computer executable instructions are called and executed by a processor, the computer executable instructions cause the processor to execute the steps of the real-time data processing method.
The real-time data processing device provided by the embodiment of the invention can be specific hardware on the equipment or software or firmware installed on the equipment. The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
For another example, the division of the unit is only one division of logical functions, and there may be other divisions in actual implementation, and for another example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided by the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the real-time data processing method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; and the modifications, changes or substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention. Are intended to be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (12)

1. A data encryption method applied to a blockchain is characterized by comprising the following steps:
acquiring plaintext data to be encrypted;
performing field-level encryption and/or line-level encryption on the plaintext data to generate ciphertext data;
generating an authorization relation table of the ciphertext data; wherein, the field level viewing authority and/or row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table;
and storing the ciphertext data and the authorization relation table to a block chain.
2. The method according to claim 1, further comprising, after the step of obtaining plaintext data to be encrypted:
acquiring the data type of the plaintext data;
and determining the encryption type of the plaintext data according to the data type.
3. The method according to claim 2, wherein the step of generating the authorization relationship table of the ciphertext data comprises:
acquiring a plurality of identity marks related to the ciphertext data;
determining field level viewing authority and/or row level viewing authority of each identity-identified user on the ciphertext data;
and respectively generating an authorization relation form recorded with field level viewing authority and/or line level viewing authority of the ciphertext data for each identity-identified user.
4. The method according to claim 1, wherein the step of performing field-level encryption and/or line-level encryption on the plaintext data to generate ciphertext data comprises:
performing field-level encryption on the plaintext data to generate preliminary ciphertext data;
and performing level encryption on the preliminary ciphertext data to generate ciphertext data.
5. A method for decrypting data applied to a blockchain, comprising:
acquiring the identity of a visiting user of the ciphertext data;
inquiring an authorization relation table according to the identity, and obtaining field level viewing permission and/or row level viewing permission of the visiting user to the ciphertext data, wherein the field level viewing permission and/or row level viewing permission of the visiting user to the ciphertext data are recorded in the authorization relation table;
and decrypting the ciphertext data according to the field level viewing authority and/or the line level viewing authority of the visitor to the ciphertext data to generate decrypted data.
6. The method according to claim 5, wherein the step of obtaining the field-level viewing right and/or the row-level viewing right of the visitor to the ciphertext data by querying an authorization relationship table according to the identity includes:
inquiring an authorization relation table corresponding to the identity in an authorization relation table according to the identity;
inquiring from the authorization relation form, wherein the visiting user has a viewing authority for each field of the ciphertext data; and/or inquiring from the authorization relation form, wherein the visiting user has the view right of each line of the ciphertext data.
7. The method according to claim 5, wherein the step of decrypting the ciphertext data according to the field-level viewing right and/or the line-level viewing right of the visiting user to the ciphertext data to generate decrypted data comprises:
when the visiting user has field level viewing right and line level viewing right, performing line level decryption on the ciphertext data to generate preliminary decryption data;
and carrying out field-level decryption on the preliminary decrypted data to generate decrypted data.
8. The method of claim 5, further comprising:
transmitting the decrypted data to the client of the visiting user.
9. A data encryption apparatus applied to a blockchain, comprising:
the acquisition module is used for acquiring plaintext data to be encrypted;
the encryption module is used for carrying out field level encryption and/or line level encryption on the plaintext data to generate ciphertext data;
the authorization relation module is used for generating an authorization relation table of the ciphertext data; wherein, the field level viewing authority and/or row level viewing authority of the users with different identity marks to the ciphertext data are recorded in the authorization relation table;
and the transmission module is used for storing the ciphertext data and the authorization relation table to a block chain.
10. A data decryption apparatus for use in a blockchain, comprising:
the acquisition module is used for acquiring the identity of a visiting user of the ciphertext data;
the query module is used for querying an authorization relation table according to the identity to obtain field level viewing permission and/or row level viewing permission of the visiting user on the ciphertext data;
and the decryption module is used for decrypting the ciphertext data according to the field level viewing authority and/or the line level viewing authority of the visitor to the ciphertext data to generate decrypted data.
11. An electronic device comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and wherein the processor implements the steps of the method of any of claims 1 to 8 when executing the computer program.
12. A computer readable storage medium having stored thereon machine executable instructions which, when invoked and executed by a processor, cause the processor to execute the method of any of claims 1 to 8.
CN202010149278.0A 2020-03-05 2020-03-05 Data encryption and decryption method and device applied to block chain Pending CN111400728A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010149278.0A CN111400728A (en) 2020-03-05 2020-03-05 Data encryption and decryption method and device applied to block chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010149278.0A CN111400728A (en) 2020-03-05 2020-03-05 Data encryption and decryption method and device applied to block chain

Publications (1)

Publication Number Publication Date
CN111400728A true CN111400728A (en) 2020-07-10

Family

ID=71434087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010149278.0A Pending CN111400728A (en) 2020-03-05 2020-03-05 Data encryption and decryption method and device applied to block chain

Country Status (1)

Country Link
CN (1) CN111400728A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112016113A (en) * 2020-09-28 2020-12-01 同盾控股有限公司 Data encryption and decryption method, device and system
CN112487483A (en) * 2020-12-14 2021-03-12 深圳昂楷科技有限公司 Encrypted database flow auditing method and device
CN112511515A (en) * 2020-11-19 2021-03-16 成都无右区块链科技有限公司 Chain number cube for data chaining
CN114401148A (en) * 2022-01-28 2022-04-26 中企云链(北京)金融信息服务有限公司 Communication data encryption and decryption optimization method
CN116155619A (en) * 2023-04-04 2023-05-23 江西农业大学 Data processing method, data request terminal, data possession terminal and data processing device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563788A (en) * 2018-04-27 2018-09-21 腾讯科技(深圳)有限公司 Data query method, apparatus, server and storage medium based on block chain
CN109462472A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 The methods, devices and systems of data encryption and decryption
CN109977697A (en) * 2019-04-03 2019-07-05 陕西医链区块链集团有限公司 A kind of data grant method of block chain
US20190392164A1 (en) * 2018-06-26 2019-12-26 American Express Travel Related Services Company, Inc. Application level data security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109462472A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 The methods, devices and systems of data encryption and decryption
CN108563788A (en) * 2018-04-27 2018-09-21 腾讯科技(深圳)有限公司 Data query method, apparatus, server and storage medium based on block chain
US20190392164A1 (en) * 2018-06-26 2019-12-26 American Express Travel Related Services Company, Inc. Application level data security
CN109977697A (en) * 2019-04-03 2019-07-05 陕西医链区块链集团有限公司 A kind of data grant method of block chain

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李斌,白淑君,宋怀刚: "具备多级安全机制的在线数据库同态加密方案", pages 1 *
陈越等: "数据库安全", pages: 74 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112016113A (en) * 2020-09-28 2020-12-01 同盾控股有限公司 Data encryption and decryption method, device and system
CN112016113B (en) * 2020-09-28 2024-04-16 同盾控股有限公司 Data encryption and decryption method, device and system
CN112511515A (en) * 2020-11-19 2021-03-16 成都无右区块链科技有限公司 Chain number cube for data chaining
CN112487483A (en) * 2020-12-14 2021-03-12 深圳昂楷科技有限公司 Encrypted database flow auditing method and device
CN112487483B (en) * 2020-12-14 2024-05-03 深圳昂楷科技有限公司 Encryption database flow auditing method and device
CN114401148A (en) * 2022-01-28 2022-04-26 中企云链(北京)金融信息服务有限公司 Communication data encryption and decryption optimization method
CN116155619A (en) * 2023-04-04 2023-05-23 江西农业大学 Data processing method, data request terminal, data possession terminal and data processing device

Similar Documents

Publication Publication Date Title
Yuan et al. Public integrity auditing for dynamic data sharing with multiuser modification
US11239994B2 (en) Techniques for key provisioning in a trusted execution environment
US20200145231A1 (en) Secure dynamic threshold signature scheme employing trusted hardware
KR101575030B1 (en) Method of multi-signature generation for shared data in the cloud
US20200401726A1 (en) System and method for private integration of datasets
CN111400728A (en) Data encryption and decryption method and device applied to block chain
Han et al. A data sharing protocol to minimize security and privacy risks of cloud storage in big data era
WO2022199290A1 (en) Secure multi-party computation
CN105659231B (en) Enabling access to data
CN109688119B (en) Anonymous traceability identity authentication method in cloud computing
CN110800250A (en) Controlled distribution of encrypted private keys
CN113987554B (en) Method, device and system for obtaining data authorization
KR101615137B1 (en) Data access method based on attributed
US11588631B2 (en) Systems and methods for blockchain-based automatic key generation
CN112187741B (en) Login authentication method and device based on operation and maintenance audit system and electronic device
CN113438205A (en) Block chain data access control method, node and system
Da Costa et al. Sec-Health: A blockchain-based protocol for securing health records
Liu et al. Efficient decentralized access control for secure data sharing in cloud computing
Almuzaini et al. Key Aggregation Cryptosystem and Double Encryption Method for Cloud‐Based Intelligent Machine Learning Techniques‐Based Health Monitoring Systems
Junghanns et al. Engineering of secure multi-cloud storage
Reedy et al. A Secure Framework for Ensuring EHR's Integrity Using Fine-Grained Auditing and CP-ABE
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
US20210111880A1 (en) Access control methods, access control devices, and computer readable media
Shen et al. Access-authorizing and privacy-preserving auditing with group dynamic for shared cloud data
Kamalam et al. Secure and efficient privacy preserving public auditing scheme for cloud storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200710