CN111914269A - Data security sharing method and system under block chain and cloud storage environment - Google Patents
Data security sharing method and system under block chain and cloud storage environment Download PDFInfo
- Publication number
- CN111914269A CN111914269A CN202010650801.8A CN202010650801A CN111914269A CN 111914269 A CN111914269 A CN 111914269A CN 202010650801 A CN202010650801 A CN 202010650801A CN 111914269 A CN111914269 A CN 111914269A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- intelligent contract
- attribute
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000011217 control strategy Methods 0.000 claims abstract description 43
- 238000012795 verification Methods 0.000 claims abstract description 22
- 238000011835 investigation Methods 0.000 claims description 15
- 230000000977 initiatory effect Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 5
- 239000004744 fabric Substances 0.000 claims description 2
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 230000008859 change Effects 0.000 abstract description 2
- 230000002349 favourable effect Effects 0.000 abstract 1
- 238000013500 data storage Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data security sharing method and system under a block chain and cloud storage environment, and belongs to the field of internet security. According to the invention, the intelligent contract is directly adopted to carry out identity verification on the data request end, the cloud server does not participate in authority authentication at any stage, interference of malicious cloud is avoided, and the security of key generation and distribution is ensured under the access control environment based on attributes. According to the method, the actual data ciphertext of the user is placed on the cloud server, the metadata information is placed on the block chain, the actual data and the metadata are separated, the block chain is prevented from being too fat, the consistency of data formats is kept, and the method is favorable for storage and query. The data owning terminal entrusts the authority to the intelligent contract, and the data owning terminal can change the access control strategy of the data file at any time, so that the user still holds the management control authority of the data after uploading the data. The invention uses the attribute encryption scheme based on the ciphertext strategy to realize one-to-many fine-grained access control.
Description
Technical Field
The invention belongs to the technical field of internet security, and particularly relates to a data security sharing method and system under a block chain and cloud storage environment.
Background
With the continuous development of internet technology, information exchange among different organizations and organizations is gradually increased, and the sharing degree of data is increased day by day. Meanwhile, the mobile terminal is rapidly becoming a key entrance of many internet services due to the intellectualization, and data sharing through the mobile device has become an inevitable trend of social development. However, the mobile terminal is limited by resources such as power, computing power, and storage power, which also promotes the generation of cloud services. The security of cloud service is related to the security of privacy of a large amount of user data, and irrecoverable consequences can be caused by carelessness. Cloud services in the current market have more or less problems, and a safer and more reliable data sharing system needs to be constructed urgently.
Aiming at the limitations of resources such as electric quantity, computing power and storage power of the mobile terminal, a current mobile terminal user tends to store a large amount of data in an enterprise cloud platform to realize real-time access and sharing of the data. But after the data is stored on the cloud, the user loses management of the data access control rights on the cloud. In the conventional access control management, the cloud storage performs access right verification, and a third-party authority is introduced to perform the management of the access right and the work of related key generation and distribution. However, clouds are considered "honest but curious", i.e. semi-trusted, and third party agencies are a centralized agency, which is required to be fully trusted, resulting in leakage of data if the third party agency colludes with other users or malicious clouds. In a conventional data sharing system, if a data leakage problem occurs, it is difficult to track which party leaks related data. Therefore, the traditional data sharing model has the problems that semi-trusted cloud and third-party management organizations exist, and data leakage is difficult to track the leakage source.
The characteristics of decentralized block chain, non-falsification, transparent intelligent contract disclosure, automatic operation and the like make it a necessary trend to apply the block chain and the intelligent contract to the data security sharing in the cloud storage. The data security sharing in the cloud storage combined with the block chain technology solves the problem of a semi-trusted third-party management mechanism, and the block chain with decentralized and non-falsifiable records and the intelligent contract are used for replacing execution, so that the data sharing is safer, more transparent and more traceable. Because the blockchain is a decentralized structure, the operation of the blockchain is commonly maintained by a plurality of nodes, and the record of the blockchain is commonly determined by all the nodes in the blockchain. In addition, the access right verification and the data access key generation and distribution are performed by the intelligent contract, and the probability of collusion by malicious parties is reduced. The cloud service provider can control the records of the blockchain unless more than 51% of nodes in the blockchain are hooked, so that the records on the blockchain are safer and more credible. If a malicious user leaks data for the benefit of the malicious user, the source of the leaked data can be tracked by utilizing the traceability of the block chain.
However, firstly, in the existing data sharing method based on the block chain and the cloud server, to implement simultaneous access of multiple data request terminals, a large amount of identity information and a related key information list of the data request terminals need to be maintained in a local data owning terminal or the cloud server, when the data request terminals apply for access rights, the data owning terminal or the cloud server needs to perform "one-to-one" processing, and when the data request terminals perform data request access, the data owning terminal or the cloud server needs to firstly query a key corresponding to the data request terminal in the list. Secondly, the existing data sharing method based on the block chain and the cloud server cannot completely realize decentralization, the cloud server also keeps the basic function of identity verification of the data request end, and if the cloud server is malicious, the cloud server possibly transmits false identity verification passing information of the data request end to an intelligent contract. Then, the existing data sharing method based on the block chain and the cloud server has a single data storage form, and data storage separation and even storage are not realized. Finally, the existing data sharing method based on the block chain and the cloud server cannot realize data leakage tracing.
Disclosure of Invention
Aiming at the defects and improvement requirements of complex access control, incomplete decentralization operation and single data storage format in the prior art, the invention provides a data security sharing method and system in a block chain and cloud storage environment, and aims to realize complete decentralization operation and perform fine-grained access control and storage and sharing of different data formats.
In order to achieve the above object, according to a first aspect of the present invention, there is provided a method for securely sharing data in a blockchain and cloud storage environment, the method comprising: the method comprises an initialization stage, a data encryption storage stage, an attribute key acquisition stage and a data access stage;
the initialization phase is processed as follows:
(1) the intelligent contract generates a system main key and a system public key by using an attribute encryption method based on a ciphertext strategy, and a data owning terminal locally generates a symmetric key for encrypting a file;
(2) the intelligent contract stores the system master key in a block chain and sends a system public key to a data owning terminal;
(3) the data owning terminal uploads the attribute set of the data owning terminal to the block chain for storage;
the data encryption storage stage is processed as follows:
firstly, encrypting plaintext data by using a symmetric key at a data owning end to generate a data ciphertext;
the data owning terminal appoints an access control strategy of the symmetric key according to the attribute set of the data owning terminal, encrypts the symmetric key by adopting an encryption mode based on the attribute base by using the access control strategy and a system public key to obtain a symmetric key ciphertext;
the data owning terminal packs the data ciphertext and the symmetric key ciphertext into a data file and stores the data file on the cloud server;
fourthly, after receiving the data file for storage, the cloud server returns the storage address of the data file to the data owning terminal;
through an intelligent contract, the data owning end uploads a data file storage address and an access control strategy to a block chain or local storage;
the attribute key acquisition stage is processed as follows:
a) a data request end sends an attribute key acquisition request to an intelligent contract;
b) the intelligent contract acquires an access control strategy from the block chain, judges whether the data request end has access authority or not according to the acquired access control strategy, if so, enters the step c), and otherwise, the intelligent contract refuses the attribute key acquisition request of the data request end;
c) the intelligent contract generates an attribute key according to the attribute set of the data request end and the system master key, and sends the attribute key to the data request end;
the data access phase is processed as follows:
i) the data request terminal sends a data access request to the cloud server;
ii) the cloud server sends the identity information of the data request end to the intelligent contract;
iii) the intelligent contract obtains the access control strategy from the block chain, carries out access right verification on the identity of the data request terminal according to the obtained access control strategy, records the identity information, the access information and the verification result of the data request terminal by the block chain, passes the verification, enters the step iv), or enters the step v),
iv) the cloud server sends the data file to the data request end, the data request end uses the attribute key of the data request end to decrypt the symmetric key ciphertext to obtain the symmetric key, then uses the symmetric key to decrypt the data ciphertext to obtain plaintext data, and ends the data access;
v) the intelligent contract transmits data access request failure information to the data request end through the cloud server.
Preferably, the method further comprises: a data file usage history investigation phase, which processes as follows:
1) a data owning terminal initiates a use history record investigation request of a data file to an intelligent contract;
2) aiming at a data file initiating a survey, carrying out access record search on a block chain by an intelligent contract, and inquiring to obtain a data request end and request time of the data file;
3) and judging whether the data file is leaked or abused or not according to the data request end and the request time of the data file, and if so, applying a liability-asking program to a third party through an intelligent contract.
Preferably, in the initialization stage, in step (1), the data owning end locally calls a symmetric key generation algorithm to generate a symmetric key for encrypting the file.
Preferably, during initialization, the system master key and the set of self attributes are stored in the blockchain by:
stored in the form of key-value pairs in a private data set provided by the federation chain Hyperridge Fabric framework.
Preferably, the self attribute set includes: specific identity information generated when a user registers in the system and user-defined attribute information.
Preferably, the attribute key is generated as follows:
1) the intelligent contract acquires an attribute set of a data request end and a system master key from a block chain;
2) the smart contract generates an attribute key using an attribute key generation process in the CP-ABE algorithm.
To achieve the above object, according to a second aspect of the present invention, there is provided a data security sharing system in a blockchain and cloud storage environment, the system including: the system comprises a data owning end, a data requesting end, an intelligent contract, a block chain and a cloud server;
the data owning terminal is used for locally generating a symmetric key for encrypting the file in an initialization stage, receiving a system public key sent by the intelligent key and uploading the attribute set of the data owning terminal to the block chain; in the data encryption storage stage, encrypting plaintext data by using a symmetric key to generate a data cipher text, assigning an access control strategy of the symmetric key according to an attribute set of the symmetric key, encrypting the symmetric key by using the access control strategy and a system public key in an attribute-based encryption mode to obtain the symmetric key cipher text, packaging the data cipher text and the symmetric key cipher text into a data file, uploading the data file to a cloud server, receiving a data file storage address sent by the cloud server, and uploading the data file storage address and the access control strategy to a block chain or local storage;
the data request end is used for sending an attribute key acquisition request to the intelligent contract in the attribute key acquisition stage, receiving the attribute key sent by the intelligent contract when the intelligent contract judges that the data request end has the access right, and receiving the attribute key acquisition request failure information sent by the intelligent contract when the data request end does not have the access right; in the data access stage, a data access request is sent to a cloud server, when the identity of a data request end is verified to pass through by an intelligent contract, a symmetric key ciphertext is decrypted by using an attribute key of the data file sent by the cloud server to obtain a symmetric key, then the data ciphertext is decrypted by using the symmetric key to obtain plaintext data, and when the identity of the data request end is not verified to pass, data access request failure information sent by the intelligent contract is received;
the intelligent contract is used for generating a system master key and a system public key by using an attribute encryption method based on a ciphertext strategy in an initialization stage, storing the system master key in a block chain and sending the system public key to a data owning terminal; in the data encryption storage stage, the data file storage address and the access control strategy are uploaded to a bridge of the block chain as a data owning terminal; in the attribute key acquisition stage, after an attribute key acquisition request sent by a data request end is received, an access control strategy is acquired from a block chain, whether the data request end has access authority or not is judged according to the acquired access control strategy, if the data request end has the access authority, an attribute key is generated according to an attribute set and a system master key of the data request end, and the attribute key is sent to the data request end, otherwise, the attribute key acquisition request of the data request end is refused; in the data access stage, after receiving identity information of a data request terminal sent by a cloud server, acquiring an access control strategy from a block chain, verifying the access authority of the identity of the data request terminal according to the acquired access control strategy, and if the verification fails, transmitting data access request failure information to the data request terminal through the cloud server;
the block chain is used for storing the system master key sent by the intelligent combination and the self attribute set uploaded by the data owning terminal in the initialization stage; in the data encryption storage stage, storing a data file storage address and an access control strategy uploaded by a data owning terminal; providing an access control strategy for the intelligent contract in the attribute key acquisition stage; in the data access stage, providing an access control strategy for the intelligent contract, and recording the identity information, the access information and the verification result of the data request end after the identity of the data request end is verified;
the cloud server is used for storing the data file sent by the data owning terminal in the data encryption storage stage and returning the data file storage address to the data owning terminal; in the data access stage, after receiving a data access request sent by a data request end, sending identity information of the data request end to an intelligent contract, when the intelligent contract verifies the access authority of the identity of the data request end, sending a data file to the data request end, and when the verification fails, using the data file as a bridge for transmitting data access request failure information to the data request end by the intelligent contract.
Preferably, the data owning end is further configured to initiate a data file usage history investigation request to the smart contract at a data file usage history investigation stage;
the intelligent contract is also used for carrying out access record search on the block chain aiming at the data file initiating the survey and inquiring to obtain a data request end and request time of the data file in the survey stage of the use history record of the data file; judging whether the data file is leaked or abused or not according to the data request end and the request time of the data file, and if so, directly applying a liability-asking program to a third party through an intelligent contract;
and the block chain is also used for receiving access search of the intelligent contract at the data file use history record investigation stage and returning the data request end and the request time which are obtained by inquiry and aim at the data file initiating the investigation.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) aiming at the problem that the prior art is not completely decentralized, the invention directly adopts an intelligent contract to carry out identity verification on a data request end, the cloud server does not participate in authority authentication at any stage and is only responsible for file storage and decentralized, thereby realizing the intervention of a non-centralized third party mechanism, avoiding the interference of malicious cloud, and ensuring the safety of key generation and distribution under the access control environment based on attributes.
(2) Aiming at the problem of single data storage format in the prior art, the invention puts the actual data ciphertext of the user, which is large in size, various in types, complex in data format and contains a large amount of private information of the user, into the cloud server; metadata information is placed on the block chain, the metadata information comprises a storage address of a user data ciphertext on the cloud server, contact person attribute information related to a data owning end, a record of a data requesting end access data ciphertext and the like, the metadata information is small in size, has a uniform data format, is key information generated in the using process of data, and is stored on the block chain without being tampered. Therefore, the actual data and the metadata are separated, the block chain is prevented from being overstaffed, the consistency of data formats is kept, and the storage and the query are facilitated.
(3) Aiming at the problem of weak control right of a data owning end to data in the prior art, in the data sharing scheme designed by the invention, the data owning end entrusts the right to an intelligent contract in a centralized manner, and the data owning end can change the access control strategy of a data file at any time, so that the user still holds the access control right of the data after uploading the data.
(4) Aiming at the problem of coarse-grained access control in the prior art, the invention can realize one-to-many fine-grained access control by using an attribute encryption scheme based on a ciphertext strategy, and the data owning terminal can realize the generation of an attribute key and the access of a data request by only needing to appoint an access control strategy once.
(5) Aiming at the problem that data leakage cannot be traced, block chain record retrieval is supported, a cooperation interface is provided for a third-party legal department, information of all data request ends is judged whether to be a legal access user or not by using an intelligent contract, illegal users are inquired at the first time of data leakage and abuse, related legal departments are promoted to ask for the illegal users as soon as possible at the first time of data leakage, and safety of the data sharing field is promoted.
Drawings
Fig. 1 is a flowchart of a data security sharing method in a blockchain and cloud storage environment according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an initialization phase disclosed in an embodiment of the present invention;
FIG. 3 is a schematic diagram of a data encryption storage phase disclosed in an embodiment of the present invention;
FIG. 4 is a diagram illustrating an attribute key obtaining stage according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating an access right verification phase disclosed in an embodiment of the present invention;
FIG. 6 is a diagram illustrating a data file usage history investigation phase according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, the present invention provides a method for sharing data security in a blockchain and cloud storage environment, where the method includes: the method comprises an initialization stage, a data encryption storage stage, an attribute key acquisition stage, a data access stage and a data file usage history investigation stage. Correspondingly, the invention provides a data security sharing system under a block chain and cloud storage environment, which comprises: the system comprises a data owning end, a data requesting end, an intelligent contract, a block chain and a cloud server, wherein the data owning end, the data requesting end, the intelligent contract, the block chain and the cloud server are matched with each other to complete the functions of each stage.
As shown in fig. 2, the initialization phase is used to generate system required parameters, including a system master key and a system public key required by the client. A system main key and a system public key generated by system initialization adopt an attribute encryption scheme CP-ABE (ciphertext-policy-attribute-based encryption) based on a ciphertext strategy, a data owning terminal stores a data file in a cloud server, the data file contains an access control strategy defined by the data owning terminal, and only a user with access authority can obtain the attribute key and decrypt the data file to obtain plaintext data. After a user starts a system from a client, an intelligent contract is triggered to automatically execute and generate a system Master Key (MK) and a system Public Key (PK), the system Master Key is stored in a block chain in a safe mode, and the system Public Key is sent to a client user at a data owning end. And the client user defines the own attribute set and uploads the attribute set to the block chain for safe storage.
As shown in fig. 3, the data encryption storage stage is used to enhance the security of data storage, the data owning end locally uses a symmetric key algorithm to generate a symmetric key, the plaintext data of the data owning end uses the symmetric key to encrypt and generate a ciphertext, the symmetric key of the data owning end uses an attribute-based encryption method to encrypt and obtain a key ciphertext, and the ciphertext and the key ciphertext are packaged into a data file to be stored on the cloud server. The data owning terminal encrypts data by using the symmetric key obtained by initialization to obtain a data ciphertext, assigns an access control strategy for the data ciphertext, encrypts the symmetric key by using an access control strategy tree and an attribute set-based encryption mode to obtain a symmetric key ciphertext, packages the data ciphertext and the symmetric key ciphertext into a data file and uploads the data file to the cloud server, and the cloud server receives the data file for storage and returns a data file storage address to the data owning terminal. The data owner may choose to upload the data file and access control policy into the blockchain, or save them locally for later use.
As shown in fig. 4, the attribute key obtaining stage is used to distribute the attribute key to the data requesting end having the access right of the data file. The data request end sends an attribute key obtaining request to the intelligent contract, the intelligent contract is used for judging whether the data request end has access authority or not, the data request end which does not have the authority of accessing a specific data file sends an access authority application to the data owning end, the data owning end resubmits an access control strategy to the block chain according to requirements, and the intelligent contract generates an attribute key according to the attribute set of the data request end and the system master key and sends the attribute key to the data request end.
As shown in fig. 5, the access right verifying stage is configured to determine whether the data request end has an access right of the data file, and when the data request end sends a data access request to the cloud server, in order to avoid the data request end from leaking a private attribute key, the identity of the data request end is verified by using an intelligent contract. The access right verification stage can safely share the data file of the data owner and record the use track of the data in the block chain so as to trace the use condition of the data. The method comprises the steps that a data request end sends a data access request to a cloud server, the cloud server sends identity information of the data request end and accessed data file information to an intelligent contract for access authority verification, a block chain records a verification result of the requested access, in addition, the block chain also records key information of an accessor, key information of an accessed data file, access time and the like, if the data request end has the access authority of the data file, the cloud server sends the data file to the data request end, the data request end decrypts a key ciphertext by using an attribute key of the data request end to obtain a symmetric key, and then decrypts the data ciphertext by using the symmetric key to obtain plaintext data; and if the data request terminal has no access authority of the data file, the cloud server refuses the access request of the data request terminal.
As shown in fig. 6, the data file usage history investigation stage is used to search the access information of the data files recorded in the blockchain so as to trace back the usage of the data files. The client initiates a search survey, performs access record search on data files initiating the survey, performs search acceleration by using the GPU server, and can query detailed information such as a data request end, request time and the like of each data file of the data owning end, and the information can be used for monitoring whether the data files of the data owning end are leaked or abused. If the data file is found to be abused or leaked, directly applying for a liability-asking program to related legal departments through an intelligent contract.
An intelligent contract is a special protocol that includes program code functions that interact with other contracts, make decisions, store data, and transfer ethernet tokens, and provides the conditions for validation and execution of the contract, allowing trusted transactions to be conducted without third parties, which are traceable and irreversible, and the implementation of attribute-based access control, user rights validation, etc. in the system is independent of the intelligent contract.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for safely sharing data in a blockchain and cloud storage environment is characterized by comprising the following steps: the method comprises an initialization stage, a data encryption storage stage, an attribute key acquisition stage and a data access stage;
the initialization phase is processed as follows:
(1) the intelligent contract generates a system main key and a system public key by using an attribute encryption method based on a ciphertext strategy, and a data owning terminal locally generates a symmetric key for encrypting a file;
(2) the intelligent contract stores the system master key in a block chain and sends a system public key to a data owning terminal;
(3) the data owning terminal uploads the attribute set of the data owning terminal to the block chain for storage;
the data encryption storage stage is processed as follows:
firstly, encrypting plaintext data by using a symmetric key at a data owning end to generate a data ciphertext;
the data owning terminal appoints an access control strategy of the symmetric key according to the attribute set of the data owning terminal, encrypts the symmetric key by adopting an encryption mode based on the attribute base by using the access control strategy and a system public key to obtain a symmetric key ciphertext;
the data owning terminal packs the data ciphertext and the symmetric key ciphertext into a data file and stores the data file on the cloud server;
fourthly, after receiving the data file for storage, the cloud server returns the storage address of the data file to the data owning terminal;
through an intelligent contract, the data owning end uploads a data file storage address and an access control strategy to a block chain or local storage;
the attribute key acquisition stage is processed as follows:
a) a data request end sends an attribute key acquisition request to an intelligent contract;
b) the intelligent contract acquires an access control strategy from the block chain, judges whether the data request end has access authority or not according to the acquired access control strategy, if so, enters the step c), and otherwise, the intelligent contract refuses the attribute key acquisition request of the data request end;
c) the intelligent contract generates an attribute key according to the attribute set of the data request end and the system master key, and sends the attribute key to the data request end;
the data access phase is processed as follows:
i) the data request terminal sends a data access request to the cloud server;
ii) the cloud server sends the identity information of the data request end to the intelligent contract;
iii) the intelligent contract obtains the access control strategy from the block chain, carries out access right verification on the identity of the data request terminal according to the obtained access control strategy, records the identity information, the access information and the verification result of the data request terminal by the block chain, passes the verification, enters the step iv), or enters the step v),
iv) the cloud server sends the data file to the data request end, the data request end uses the attribute key of the data request end to decrypt the symmetric key ciphertext to obtain the symmetric key, then uses the symmetric key to decrypt the data ciphertext to obtain plaintext data, and ends the data access;
v) the intelligent contract transmits data access request failure information to the data request end through the cloud server.
2. The method of claim 1, further comprising: a data file usage history investigation phase, which processes as follows:
1) a data owning terminal initiates a use history record investigation request of a data file to an intelligent contract;
2) aiming at a data file initiating a survey, carrying out access record search on a block chain by an intelligent contract, and inquiring to obtain a data request end and request time of the data file;
3) and judging whether the data file is leaked or abused or not according to the data request end and the request time of the data file, and if so, applying a liability-asking program to a third party through an intelligent contract.
3. The method of claim 1 or 2, wherein in the initialization phase, step (1), the data owner locally calls a symmetric key generation algorithm to generate a symmetric key for encrypting the file.
4. A method according to any one of claims 1 to 3, wherein, during an initialization phase, the system master key and the set of self attributes are stored in the blockchain by:
stored in the form of key-value pairs in a private data set provided by the federation chain Hyperridge Fabric framework.
5. The method of any of claims 1 to 4, wherein the self attribute set comprises: specific identity information generated when a user registers in the system and user-defined attribute information.
6. The method according to any of claims 1 to 5, wherein the attribute key is generated in the following way:
1) the intelligent contract acquires an attribute set of a data request end and a system master key from a block chain;
2) the smart contract generates an attribute key using an attribute key generation process in the CP-ABE algorithm.
7. A system for secure sharing of data in a blockchain and cloud storage environment, the system comprising: the system comprises a data owning end, a data requesting end, an intelligent contract, a block chain and a cloud server;
the data owning terminal is used for locally generating a symmetric key for encrypting the file in an initialization stage, receiving a system public key sent by the intelligent key and uploading the attribute set of the data owning terminal to the block chain; in the data encryption storage stage, encrypting plaintext data by using a symmetric key to generate a data cipher text, assigning an access control strategy of the symmetric key according to an attribute set of the symmetric key, encrypting the symmetric key by using the access control strategy and a system public key in an attribute-based encryption mode to obtain the symmetric key cipher text, packaging the data cipher text and the symmetric key cipher text into a data file, uploading the data file to a cloud server, receiving a data file storage address sent by the cloud server, and uploading the data file storage address and the access control strategy to a block chain or local storage;
the data request end is used for sending an attribute key acquisition request to the intelligent contract in the attribute key acquisition stage, receiving the attribute key sent by the intelligent contract when the intelligent contract judges that the data request end has the access right, and receiving the attribute key acquisition request failure information sent by the intelligent contract when the data request end does not have the access right; in the data access stage, a data access request is sent to a cloud server, when the identity of a data request end is verified to pass through by an intelligent contract, a symmetric key ciphertext is decrypted by using an attribute key of the data file sent by the cloud server to obtain a symmetric key, then the data ciphertext is decrypted by using the symmetric key to obtain plaintext data, and when the identity of the data request end is not verified to pass, data access request failure information sent by the intelligent contract is received;
the intelligent contract is used for generating a system master key and a system public key by using an attribute encryption method based on a ciphertext strategy in an initialization stage, storing the system master key in a block chain and sending the system public key to a data owning terminal; in the data encryption storage stage, the data file storage address and the access control strategy are uploaded to a bridge of the block chain as a data owning terminal; in the attribute key acquisition stage, after an attribute key acquisition request sent by a data request end is received, an access control strategy is acquired from a block chain, whether the data request end has access authority or not is judged according to the acquired access control strategy, if the data request end has the access authority, an attribute key is generated according to an attribute set and a system master key of the data request end, and the attribute key is sent to the data request end, otherwise, the attribute key acquisition request of the data request end is refused; in the data access stage, after receiving identity information of a data request terminal sent by a cloud server, acquiring an access control strategy from a block chain, verifying the access authority of the identity of the data request terminal according to the acquired access control strategy, and if the verification fails, transmitting data access request failure information to the data request terminal through the cloud server;
the block chain is used for storing the system master key sent by the intelligent combination and the self attribute set uploaded by the data owning terminal in the initialization stage; in the data encryption storage stage, storing a data file storage address and an access control strategy uploaded by a data owning terminal; providing an access control strategy for the intelligent contract in the attribute key acquisition stage; in the data access stage, providing an access control strategy for the intelligent contract, and recording the identity information, the access information and the verification result of the data request end after the identity of the data request end is verified;
the cloud server is used for storing the data file sent by the data owning terminal in the data encryption storage stage and returning the data file storage address to the data owning terminal; in the data access stage, after receiving a data access request sent by a data request end, sending identity information of the data request end to an intelligent contract, when the intelligent contract verifies the access authority of the identity of the data request end, sending a data file to the data request end, and when the verification fails, using the data file as a bridge for transmitting data access request failure information to the data request end by the intelligent contract.
8. The system of claim 7, wherein the data owner is further configured to initiate a usage history investigation request for the data file to the smart contract during a data file usage history investigation phase;
the intelligent contract is also used for carrying out access record search on the block chain aiming at the data file initiating the survey and inquiring to obtain a data request end and request time of the data file in the survey stage of the use history record of the data file; judging whether the data file is leaked or abused or not according to the data request end and the request time of the data file, and if so, directly applying a liability-asking program to a third party through an intelligent contract;
and the block chain is also used for receiving access search of the intelligent contract at the data file use history record investigation stage and returning the data request end and the request time which are obtained by inquiry and aim at the data file initiating the investigation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010650801.8A CN111914269B (en) | 2020-07-07 | 2020-07-07 | Data security sharing method and system in blockchain and cloud storage environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010650801.8A CN111914269B (en) | 2020-07-07 | 2020-07-07 | Data security sharing method and system in blockchain and cloud storage environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111914269A true CN111914269A (en) | 2020-11-10 |
| CN111914269B CN111914269B (en) | 2024-02-02 |
Family
ID=73226438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010650801.8A Active CN111914269B (en) | 2020-07-07 | 2020-07-07 | Data security sharing method and system in blockchain and cloud storage environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111914269B (en) |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112257112A (en) * | 2020-11-16 | 2021-01-22 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112347496A (en) * | 2020-11-16 | 2021-02-09 | 中电科大数据研究院有限公司 | Fine-grained data security access control method and system |
| CN112417480A (en) * | 2020-11-25 | 2021-02-26 | 中国传媒大学 | Data storage system and method based on block chain |
| CN112906032A (en) * | 2021-03-15 | 2021-06-04 | 上海交通大学 | File secure transmission method, system and medium based on CP-ABE and block chain |
| CN113239123A (en) * | 2021-06-10 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Data sharing method and system |
| CN113242219A (en) * | 2021-04-26 | 2021-08-10 | 卓尔智联(武汉)研究院有限公司 | Data transmission method, block chain network and storage medium |
| CN113449014A (en) * | 2021-06-28 | 2021-09-28 | 电子科技大学 | Selective cloud data query system based on block chain |
| CN113486122A (en) * | 2021-07-29 | 2021-10-08 | 维沃移动通信有限公司 | Data sharing method and electronic equipment |
| CN113486082A (en) * | 2021-06-28 | 2021-10-08 | 电子科技大学 | Outsourcing data access control system based on block chain |
| CN113610528A (en) * | 2021-08-24 | 2021-11-05 | 上海点融信息科技有限责任公司 | Block chain-based management system, method, device and storage medium |
| CN113722695A (en) * | 2021-11-02 | 2021-11-30 | 佳瑛科技有限公司 | Cloud server-based financial data secure sharing method, device and system |
| CN113779612A (en) * | 2021-09-30 | 2021-12-10 | 国网湖南省电力有限公司 | Data sharing method and system based on block chain and hidden strategy attribute encryption |
| CN113836571A (en) * | 2021-06-16 | 2021-12-24 | 山东师范大学 | Method and system for matching positions of medical data owning terminals based on cloud and block chains |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114143094A (en) * | 2021-12-02 | 2022-03-04 | 兰州理工大学 | Multi-authorization attribute-based verifiable encryption method based on block chain |
| CN114266034A (en) * | 2021-12-23 | 2022-04-01 | 华中科技大学 | Access control method, device and system based on cloud chain fusion |
| CN114285867A (en) * | 2021-12-24 | 2022-04-05 | 北京航空航天大学云南创新研究院 | Air-railway combined transport data sharing method and system based on alliance chain and attribute encryption |
| CN114389878A (en) * | 2022-01-13 | 2022-04-22 | 中国人民解放军国防科技大学 | Block chain fragmentation method and block chain network system |
| CN114513533A (en) * | 2021-12-24 | 2022-05-17 | 北京理工大学 | Classified and graded fitness and health big data sharing system and method |
| CN114520747A (en) * | 2022-04-21 | 2022-05-20 | 山东省计算中心(国家超级计算济南中心) | Data security sharing system and method taking data as center |
| CN114584325A (en) * | 2022-05-06 | 2022-06-03 | 四川野马科技有限公司 | Bid quoted price data hybrid storage system and method based on block chain and cloud storage |
| WO2022207445A1 (en) * | 2021-03-29 | 2022-10-06 | Collibra Nv | Systems and methods for secure key management using distributed ledger technology |
| CN115242518A (en) * | 2022-07-25 | 2022-10-25 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method under mixed cloud environment |
| CN115587392A (en) * | 2022-11-22 | 2023-01-10 | 杭州字节方舟科技有限公司 | Method, device, equipment and medium for preventing power loss |
| WO2023010932A1 (en) * | 2021-08-03 | 2023-02-09 | 之江实验室 | Cloud-edge collaborative multi-mode private data transfer method based on smart contract |
| CN115733859A (en) * | 2022-11-08 | 2023-03-03 | 昆明理工大学 | IOT data credible collection and sharing method based on block chain and attribute encryption |
| CN115982746A (en) * | 2023-03-17 | 2023-04-18 | 南京信息工程大学 | Data sharing method based on block chain |
| US11777745B2 (en) | 2021-08-03 | 2023-10-03 | Zhejiang Lab | Cloud-side collaborative multi-mode private data circulation method based on smart contract |
| CN117216789A (en) * | 2023-08-31 | 2023-12-12 | 中移互联网有限公司 | Sensitive data protection method, device and system based on block chain |
| CN117251873A (en) * | 2023-02-19 | 2023-12-19 | 桂林电子科技大学 | Geographic information data cloud storage method based on blockchain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040045A (en) * | 2018-07-25 | 2018-12-18 | 广东工业大学 | A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base |
| CN109559124A (en) * | 2018-12-17 | 2019-04-02 | 重庆大学 | A kind of cloud data safety sharing method based on block chain |
-
2020
- 2020-07-07 CN CN202010650801.8A patent/CN111914269B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040045A (en) * | 2018-07-25 | 2018-12-18 | 广东工业大学 | A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base |
| CN109559124A (en) * | 2018-12-17 | 2019-04-02 | 重庆大学 | A kind of cloud data safety sharing method based on block chain |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112257112A (en) * | 2020-11-16 | 2021-01-22 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112347496A (en) * | 2020-11-16 | 2021-02-09 | 中电科大数据研究院有限公司 | Fine-grained data security access control method and system |
| CN112257112B (en) * | 2020-11-16 | 2022-10-14 | 国网河南省电力公司信息通信公司 | Data access control method based on block chain |
| CN112417480A (en) * | 2020-11-25 | 2021-02-26 | 中国传媒大学 | Data storage system and method based on block chain |
| CN112417480B (en) * | 2020-11-25 | 2024-03-19 | 中国传媒大学 | Data storage system and method based on block chain |
| CN112906032A (en) * | 2021-03-15 | 2021-06-04 | 上海交通大学 | File secure transmission method, system and medium based on CP-ABE and block chain |
| WO2022207445A1 (en) * | 2021-03-29 | 2022-10-06 | Collibra Nv | Systems and methods for secure key management using distributed ledger technology |
| CN117396869A (en) * | 2021-03-29 | 2024-01-12 | 科里布拉比利时股份有限公司 | System and method for secure key management using distributed ledger techniques |
| US11949773B2 (en) | 2021-03-29 | 2024-04-02 | Collibra Belgium Bv | Systems and methods for secure key management using distributed ledger technology |
| CN113242219A (en) * | 2021-04-26 | 2021-08-10 | 卓尔智联(武汉)研究院有限公司 | Data transmission method, block chain network and storage medium |
| CN113239123A (en) * | 2021-06-10 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Data sharing method and system |
| CN113836571B (en) * | 2021-06-16 | 2024-04-26 | 山东师范大学 | Medical data possession terminal position matching method and system based on cloud and blockchain |
| CN113836571A (en) * | 2021-06-16 | 2021-12-24 | 山东师范大学 | Method and system for matching positions of medical data owning terminals based on cloud and block chains |
| CN113449014B (en) * | 2021-06-28 | 2022-10-14 | 电子科技大学 | Selective cloud data query system based on block chain |
| CN113486082A (en) * | 2021-06-28 | 2021-10-08 | 电子科技大学 | Outsourcing data access control system based on block chain |
| CN113449014A (en) * | 2021-06-28 | 2021-09-28 | 电子科技大学 | Selective cloud data query system based on block chain |
| CN113486082B (en) * | 2021-06-28 | 2023-03-28 | 电子科技大学 | Outsourcing data access control system based on block chain |
| CN113486122A (en) * | 2021-07-29 | 2021-10-08 | 维沃移动通信有限公司 | Data sharing method and electronic equipment |
| WO2023005838A1 (en) * | 2021-07-29 | 2023-02-02 | 维沃移动通信有限公司 | Data sharing method and electronic device |
| WO2023010932A1 (en) * | 2021-08-03 | 2023-02-09 | 之江实验室 | Cloud-edge collaborative multi-mode private data transfer method based on smart contract |
| US11777745B2 (en) | 2021-08-03 | 2023-10-03 | Zhejiang Lab | Cloud-side collaborative multi-mode private data circulation method based on smart contract |
| CN113610528B (en) * | 2021-08-24 | 2024-04-02 | 上海点融信息科技有限责任公司 | Management system, method, equipment and storage medium based on block chain |
| CN113610528A (en) * | 2021-08-24 | 2021-11-05 | 上海点融信息科技有限责任公司 | Block chain-based management system, method, device and storage medium |
| CN113779612A (en) * | 2021-09-30 | 2021-12-10 | 国网湖南省电力有限公司 | Data sharing method and system based on block chain and hidden strategy attribute encryption |
| CN113722695A (en) * | 2021-11-02 | 2021-11-30 | 佳瑛科技有限公司 | Cloud server-based financial data secure sharing method, device and system |
| CN114065265B (en) * | 2021-11-29 | 2024-04-16 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on blockchain technology |
| CN114065265A (en) * | 2021-11-29 | 2022-02-18 | 重庆邮电大学 | Fine-grained cloud storage access control method, system and equipment based on block chain technology |
| CN114143094A (en) * | 2021-12-02 | 2022-03-04 | 兰州理工大学 | Multi-authorization attribute-based verifiable encryption method based on block chain |
| CN114266034A (en) * | 2021-12-23 | 2022-04-01 | 华中科技大学 | Access control method, device and system based on cloud chain fusion |
| CN114513533B (en) * | 2021-12-24 | 2023-06-27 | 北京理工大学 | Classified and graded body-building health big data sharing system and method |
| CN114513533A (en) * | 2021-12-24 | 2022-05-17 | 北京理工大学 | Classified and graded fitness and health big data sharing system and method |
| CN114285867A (en) * | 2021-12-24 | 2022-04-05 | 北京航空航天大学云南创新研究院 | Air-railway combined transport data sharing method and system based on alliance chain and attribute encryption |
| CN114389878A (en) * | 2022-01-13 | 2022-04-22 | 中国人民解放军国防科技大学 | Block chain fragmentation method and block chain network system |
| CN114389878B (en) * | 2022-01-13 | 2024-03-19 | 中国人民解放军国防科技大学 | Block chain slicing method and block chain network system |
| CN114520747A (en) * | 2022-04-21 | 2022-05-20 | 山东省计算中心(国家超级计算济南中心) | Data security sharing system and method taking data as center |
| CN114584325A (en) * | 2022-05-06 | 2022-06-03 | 四川野马科技有限公司 | Bid quoted price data hybrid storage system and method based on block chain and cloud storage |
| CN115242518A (en) * | 2022-07-25 | 2022-10-25 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method under mixed cloud environment |
| CN115242518B (en) * | 2022-07-25 | 2024-03-22 | 深圳万海思数字医疗有限公司 | Medical health data protection system and method in mixed cloud environment |
| CN115733859A (en) * | 2022-11-08 | 2023-03-03 | 昆明理工大学 | IOT data credible collection and sharing method based on block chain and attribute encryption |
| CN115587392B (en) * | 2022-11-22 | 2023-04-07 | 杭州字节方舟科技有限公司 | Method, device, equipment and medium for preventing power loss |
| CN115587392A (en) * | 2022-11-22 | 2023-01-10 | 杭州字节方舟科技有限公司 | Method, device, equipment and medium for preventing power loss |
| CN117251873A (en) * | 2023-02-19 | 2023-12-19 | 桂林电子科技大学 | Geographic information data cloud storage method based on blockchain |
| CN115982746B (en) * | 2023-03-17 | 2023-06-27 | 南京信息工程大学 | Block chain-based data sharing method |
| CN115982746A (en) * | 2023-03-17 | 2023-04-18 | 南京信息工程大学 | Data sharing method based on block chain |
| CN117216789A (en) * | 2023-08-31 | 2023-12-12 | 中移互联网有限公司 | Sensitive data protection method, device and system based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111914269B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111914269A (en) | Data security sharing method and system under block chain and cloud storage environment | |
| CN111541785B (en) | Block chain data processing method and device based on cloud computing | |
| CN110580413B (en) | Private data query method and device based on down-link authorization | |
| CN109829326B (en) | Cross-domain authentication and fair audit de-duplication cloud storage system based on block chain | |
| CN113255005B (en) | Block chain-based data asset circulation method, device and equipment | |
| CN110535833B (en) | Data sharing control method based on block chain | |
| CN112347470A (en) | Power grid data protection method and system based on block chain and data security sandbox | |
| CN110958111B (en) | Block chain-based identity authentication mechanism of electric power mobile terminal | |
| CN104506487B (en) | The credible execution method of privacy policy under cloud environment | |
| CN112199701A (en) | Contract calling method and device | |
| CN105516110A (en) | Mobile equipment secure data transmission method | |
| CN111245861B (en) | Power data storage and sharing method | |
| CN114239046A (en) | Data sharing method | |
| TW202011712A (en) | Cryptographic operation and working key creation method and cryptographic service platform and device | |
| KR20230063640A (en) | Method and system for managing decentralized data using attribute-based encryption | |
| CN110910110B (en) | Data processing method and device and computer storage medium | |
| CN114239044B (en) | Decentralizing device retrospective shared access system | |
| CN111352999A (en) | National data circulation and data right confirming method and platform based on block chain | |
| CN113949432B (en) | Unmanned aerial vehicle block chain establishing method, system, equipment and terminal for flight tasks | |
| CN115714645A (en) | Block chain-based data privacy and security protection method, device and equipment | |
| CN111682934B (en) | Method and system for storing, accessing and sharing comprehensive energy metering data | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| CN113987475A (en) | Distributed resource management system, distributed resource management method, credential information management system, and medium | |
| CN117118640A (en) | Data processing method, device, computer equipment and readable storage medium | |
| CN114239043A (en) | Shared encryption storage system constructed based on block chain technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |