CN111914293B - Data access right verification method and device, computer equipment and storage medium - Google Patents
Data access right verification method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111914293B CN111914293B CN202010760949.7A CN202010760949A CN111914293B CN 111914293 B CN111914293 B CN 111914293B CN 202010760949 A CN202010760949 A CN 202010760949A CN 111914293 B CN111914293 B CN 111914293B
- Authority
- CN
- China
- Prior art keywords
- server
- access
- data
- result
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000013475 authorization Methods 0.000 claims abstract description 94
- 230000004044 response Effects 0.000 claims abstract description 22
- 238000012550 audit Methods 0.000 claims description 23
- 230000008569 process Effects 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a data access right verification method, a device, computer equipment and a storage medium, wherein the method comprises the following steps: the first service end creates an access message, encrypts and digitally signs the access message, then sends the access message to the blockchain, and sends a data access request to the second service end; the second server receives the request, acquires the access message of the first server from the blockchain, performs signature verification and decryption on the access message, generates a decrypted access message, performs authority verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, and then sends the encrypted authorization result to the blockchain and sends an access response to the first server; after receiving the response, the first service end acquires the authorization result from the blockchain, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access or not based on the decrypted authorization result. Therefore, by adopting the embodiment of the application, the security risk existing in the data sharing process can be reduced.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for verifying data access rights, a computer device, and a storage medium.
Background
With the continuous development of the information age, the information exchange between different departments of the same company or different enterprises is gradually increased, and the development of computer network technology provides a guarantee for data transmission and realizes data sharing. This allows more people to more fully use existing data resources, reducing the duplication of labor and corresponding costs for data acquisition and processing, etc.
In the current data sharing process, the standardized problems such as data exchange formats and the like are mainly focused, and potential safety problems are ignored. For example, company a gives his customer data to company B for analysis, which analyzes the customer's purchasing preferences, but from a profit standpoint, company B's data analyst may sell the data to company a's competitor company C. At this time, the benefits of company a are compromised, in the sense that company a does not know that its data has been illegally accessed by company C. The current data sharing has the problem of uncontrolled data flow, so that the security risk existing in the data sharing process is increased.
Disclosure of Invention
Based on the above, there is a need to provide a data access right verification method, a device, a computer device and a storage medium, which aim at the problem that the current data sharing has uncontrolled data flow, so that the security risk existing in the data sharing is reduced.
The data access right verification method is applied to a first service end, and comprises the following steps: acquiring access rules pre-generated by a second server; determining the open time of the second server to access the resource based on the access rule; when the current time accords with the open time, acquiring a public key of the second server; creating authority access data for accessing the second service end and acquiring a private key of the first service end; encrypting the right access data based on the public key of the second server side to generate encrypted right access data; carrying out digital signature on the encrypted authority access data according to the private key of the first server to generate an access message of the first server; and sending the access message of the first server to a blockchain, and sending a data access request to the second server.
In one embodiment, after the sending the access message of the first server to the blockchain, the method further includes: when receiving a data access response of the second server, acquiring an authorization result of the second server from the blockchain; obtaining a public key of the second service end and a private key of the first service end; verifying the authorization result through the public key of the second server side to generate a second verification result; when the second verification result is a verification result sent by the second server, decrypting the authorization result through a private key of the first server to generate a decrypted authorization result; and determining whether to perform data access or not based on the decrypted authorization result.
A data access right verification method applied to a second server, the method comprising: when a first server side data access request is received, an access message of a first server side is acquired from a blockchain; obtaining a public key of a first service end and a private key of a second service end; verifying the access message of the first server according to the public key of the first server to generate a first verification result; decrypting the access message of the first server through the private key of the second server to generate a decrypted access message; auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result; determining an authorization result according to the auditing result; and encrypting the authorization result through the public key of the first service end, sending the encrypted authorization result to a blockchain, and sending a data access response to the first service end.
In one embodiment, before the obtaining the access message of the first service end from the blockchain, the method further includes: obtaining a public key of a second server and a second server parameter set; performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule; and encrypting the access rule according to the second server public key and then issuing the encrypted access rule to a blockchain.
In one embodiment, the preset auditing mode includes a manual auditing mode and a server auditing mode; the verification result and the decrypted access message are audited according to a preset auditing mode, and the generation of the auditing result comprises the following steps: when the auditing mode is artificially audited and the verification result is an access message sent by the first server, receiving an auditing result instruction and generating an auditing result based on the auditing result instruction; or when the auditing mode is server auditing and the verification result is the access message sent by the first server, acquiring a preset authorized server set; judging whether the first server side exists in the authorized server side set or not, and generating an auditing result.
In one embodiment, the determining the authorization result according to the audit result includes: when the auditing result is that the data does not pass, generating a refusal access notification; encrypting the access refusal notification through the public key of the first server to obtain an encrypted access refusal notification; and carrying out digital signature on the encrypted access refusing notification through the private key of the second server side to generate an authorization result.
In one embodiment, the determining the authorization result according to the audit result includes: when the auditing result is passed, generating an access credential and access time; encrypting the access credentials and the access time through the public key of the first server side to generate encrypted access credentials and access time; and digitally signing the encrypted access credentials and the access time through the private key of the second server side to generate an authorization result.
A data access rights verification apparatus applied to a first service side, the apparatus comprising: the access rule acquisition module is used for acquiring access rules pre-generated by the second server side; the time determining module is used for determining the open time of the second server to access the resource based on the access rule; the public key acquisition module is used for acquiring a public key of the second server when the current time accords with the open time; the data creation module is used for creating authority access data for accessing the second service end and acquiring a private key of the first service end; the data encryption module is used for encrypting the right access data based on the public key of the second server side and generating encrypted right access data; the data signing module is used for digitally signing the encrypted authority access data according to the private key of the first server to generate an access message of the first server; and the message sending module is used for sending the access message of the first server to the blockchain.
A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the data access rights verification method described above.
A storage medium storing computer readable instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of the data access rights verification method described above.
The data access right verification method, the data access right verification device, the computer equipment and the storage medium are characterized in that firstly, a first server creates an access message, encrypts and digitally signs the access message, then sends the access message to a blockchain, and sends a data access request to a second server. The second server receives the request, acquires the access message of the first server from the blockchain, performs signature verification and decryption on the access message, generates a decrypted access message, performs authority verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, and then sends the encrypted authorization result to the blockchain and sends an access response to the first server. When receiving the response, the first service end acquires the authorization result from the blockchain, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access or not based on the decrypted authorization result. According to the application, the flow direction, the authorization information, the use records and the like of the data between the service ends are published on the blockchain, so that the data is split with the shared access process, the illegal leakage of the data in the data sharing process is avoided, and the safety risk existing in the data sharing process is reduced.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a diagram of an environment in which a method for verifying data access rights provided in one embodiment of the present application is implemented;
FIG. 2 is a schematic diagram showing an internal structure of a computer device according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a method for verifying data access rights according to an embodiment of the present application;
fig. 4 is a schematic diagram of a method for generating an access request message in a data access right verification method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a method for generating an access rule in a data access right verification method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a method for checking authorization results in a method for verifying data access rights according to an embodiment of the present application;
FIG. 7 is a schematic diagram of an implementation scenario of data access rights verification provided in one embodiment of the present application;
Fig. 8 is a schematic diagram of an apparatus for verifying data access rights according to an embodiment of the present application;
FIG. 9 is a schematic diagram of another apparatus for verifying data access rights according to an embodiment of the present application;
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms first, second, etc. as used herein may be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one element from another element. For example, a first service may be referred to as a second service, and similarly, a second service may be referred to as a first service, without departing from the scope of the present application.
Fig. 1 is a diagram of an implementation environment of a data access right verification method provided in one embodiment, as shown in fig. 1, in the implementation environment, the implementation environment includes a first service end 110, a second service end 120, and a blockchain 130.
The first service end 110 and the second service end 120 are server devices, for example, the first service end 110 is a server of the B company storing platform data, and the second service end 120 is a server of the a company storing platform data. The blockchain 130 mainly records access rules issued by each platform, and access authority applications, access authorizations and the like of other platforms to data.
When the first server 110 (company server B) accesses the second server 120 (company server a), the second server 120 performs access permission verification on the first server 110, first the first server 110 obtains access rules pre-generated by the second server 120, and the first server 110 creates an access message based on the obtained access rules, encrypts and digitally signs the access message, and then sends the encrypted access message to the blockchain 130 and sends a data access request to the second server. When receiving the data access request of the first server, the second server 120 obtains the access message from the blockchain 130, performs signature verification and decryption on the access message, generates a decrypted access message, performs authority verification on the decrypted access message, generates an authorization result, encrypts and digitally signs the authorization result, sends the encrypted authorization result to the blockchain 130, and sends a data access response to the first server. The first service terminal 110 receives the response, acquires the authorization result from the blockchain 130, performs signature verification and decryption on the authorization result, generates a decrypted authorization result, and determines whether to perform data access based on the decrypted authorization result.
It should be noted that, the first service terminal 110, the second service terminal 120, and the blockchain 130 may be connected through bluetooth, USB (Universal Serial Bus ), or other communication connection methods, which is not limited in this disclosure.
FIG. 2 is a schematic diagram of the internal structure of a computer device in one embodiment. As shown in fig. 2, the computer device includes a processor, a non-volatile storage medium, a memory, and a network interface connected by a system bus. The nonvolatile storage medium of the computer device stores an operating system, a database and computer readable instructions, the database can store a control information sequence, and the computer readable instructions can enable the processor to realize a data access right verification method when the computer readable instructions are executed by the processor. The processor of the computer device is used to provide computing and control capabilities, supporting the operation of the entire computer device. The memory of the computer device may have stored therein computer readable instructions that, when executed by the processor, cause the processor to perform a method of verifying data access rights. The network interface of the computer device is for communicating with a terminal connection. It will be appreciated by persons skilled in the art that the architecture shown in fig. 2 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
The data access right verification method provided by the embodiment of the application will be described in detail with reference to fig. 3 to fig. 7. The method may be implemented in dependence on a computer program, and may be run on a data access rights verification device based on von neumann architecture. The computer program may be integrated in the application or may run as a stand-alone tool class application.
Referring to fig. 3, a flowchart of a data access right verification method is provided in an embodiment of the present application. As shown in fig. 3, the method according to the embodiment of the present application may include the following steps:
S101, when a data access request sent by a first server for a second server is received, an access message sent by the first server for the second server is obtained from a blockchain;
The server is a server for storing the data of the platform of the company, namely, the server is responsible for storing the data of the platform of the company. Blockchain is a technology which is maintained by multiple parties, ensures data transmission and data access safety by using cryptography, and can realize data consistency, tamper resistance and repudiation resistance. The access message is generated by the first server.
In the embodiment of the present application, for example, as shown in fig. 4, fig. 4 is a flowchart of a first server generating an access message and an access request, when the first server generates the access message and the access request, the first server first obtains an access rule generated in advance by a second server, then determines an open time of an access resource of the second server based on the access rule, when the current time accords with the open time, obtains a public key of the second server, then creates rights access data for accessing the second server and obtains a private key of the first server, encrypts the rights access data based on the public key of the second server, generates encrypted rights access data, finally digitally signs the encrypted rights access data according to the private key of the first server, generates an access message of the first server, sends the access message of the first server to a block chain, and sends the data access request to the second server.
It should be noted that, in the embodiment of the present application, the signature and verification may be implemented by using an elliptic curve encryption and decryption and using an ECC-secp k1 algorithm, that is, an asymmetric cryptographic algorithm. Wherein the private key is used for signing and the public key is used for decrypting.
Further, after sending the data access request to the second server, when the second server receives the access request of the first server, the second server analyzes the access request of the first server, obtains the identifier of the request after analysis, and matches the access message corresponding to the identifier from the blockchain according to the identifier. (i.e., the access message of the first service side).
S102, obtaining a public key of a first service end and a private key of a second service end;
In one possible implementation manner, for example, the first service end is a B company service end, the second service end is an a company service end, in order to ensure security, each company has its own public-private key pair, and it is noted that the public key of the a company service end is PK A, the private key is SK A, and the public key of the B company service end is PK B, and the private key is SK B. When the B company server wants to access the data of the A company server, the B company server firstly obtains the access rule issued by the A company server in the blockchain, then analyzes the access rule, inquires the access time set by the A company server in the access rule, if the current moment accords with the access time set by the A company server, the access authority application of the B company server is encrypted by the A company public key PK A and signed by the A company public key PK B, the counterfeiting is prevented, and the signed information is SK B Subsequently, company B (i.e., the first server) records the message on the blockchain and sends a data access request to company a's server (i.e., the second server). The ID B is an identity of the B company, self_condition B is a description of the Self situation, and apply_ Datasource B is a data resource for access. The A company server (namely the second server) receives the access request, acquires the access message issued by the B company from the blockchain, and then acquires the public key of the B company and the private key of the self server.
S103, verifying the access message of the first server according to the public key of the first server to generate a first verification result;
in one possible implementation manner, after the public key of the B company and the private key of the self server are obtained based on the step S102, the access message received in the step S101 is subjected to signature verification through the public key of the B company by using the ECC-secp k1 algorithm, and when the access message of the B company is determined, the access message is decrypted through the private key of the self server by using the ECC-secp k1 algorithm, so as to generate the decrypted access message.
Further, when the access rule is generated, for example, as shown in fig. 5, the second server side first obtains the public key of the second server side and the second server side parameter set, then digitally signs the second server side parameter set based on the private key of the second server side, generates the access rule, encrypts the access rule according to the public key of the second server side, and then issues the encrypted access rule to the blockchain.
For example, company A (the second server) will first publish on the blockchain all the conditions that other platforms that want to access its data should meet, i.e., access rulesThe rule is signed by private key SK A of company a, and generally includes a company a's own identity ID A, qualification requirements Demands A of the other company, data resources Datasource A available for access, such as a statistical data average value, an open access Time A, and the like.
S104, when the identification mark in the first verification result is the same as the identification mark of the first server, decrypting the access message of the first server through the private key of the second server to generate a decrypted access message; the identification mark is an identification parameter added when the first server generates the access message;
see step S103, and will not be described here.
S105, auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result;
the preset auditing modes are modes for authority auditing after the second server decrypts the access message sent by the first server, and the auditing modes comprise manual auditing and automatic auditing of the server.
In one possible implementation manner, when the manual auditing is performed, the server side firstly sends the access application to the terminal of the auditing user for prompting, and after prompting, an auditing instruction is received, and an auditing result is generated according to the instruction for feedback.
In another possible implementation manner, when the server side automatically performs the audit, a preset authorized server side set is obtained first, whether the requested server side access message exists in the authorized server side set is judged finally, and the audit result is generated after the judgment is finished.
Specifically, in the automatic auditing, the intelligent contract is adopted, if HYPERLEDGER FABRIC is adopted to conduct intelligent contract auditing, the intelligent contract is actually the on-chain code chaincode, which can automatically execute specific business rules, can be formulated into an access control type, and only allows certain approved members, such as A and B companies to call. In implementations, techniques such as virtual machines may be employed. If on the Ethernet, the smart contract may be deployed through an Ethernet package, or a console. The implementation is many and not limited to this.
S106, determining an authorization result according to the auditing result;
the authorization result is a final result generated after the second server side carries out auditing according to the access message of the first server side, and the result comprises passing auditing and failing auditing.
In one possible implementation manner, when the auditing result is that the access refusal notification fails, the access refusal notification is generated, the encrypted access refusal notification is obtained by encrypting the access refusal notification through the public key of the first service end, and the encrypted access refusal notification is digitally signed through the private key of the second service end, so that the authorization result is generated.
In another possible implementation, when the result of the audit is passed, an access credential is generated along with the access time, then the access credentials and access time are encrypted by the public key of the first service side, and generating an encrypted access credential and access time, and finally digitally signing the encrypted access credential and access time through a private key of the second server side to generate an authorization result.
And S107, encrypting the authorization result through the public key of the first service end, transmitting the encrypted authorization result to a blockchain, and transmitting a data access response to the first service end.
For example, if the audit is not passed, the transaction is terminated directly and a denial notification is issued on the blockchainThe notification is encrypted with the public key PK B of the B company server (first server) and signed by the a company server (second server). Otherwise, the a company (second server) server will issue a message on the blockchain and issue a data access response to the B company (first server), where the message is: /(I)The Token A_B is a Token which is authorized and distributed by the A company server to the B company server, and is taken as an access credential, the Expiration is the validity period of the Token, any Token exceeding the validity period can not be used for data access, and the backward security of the accessed data is effectively ensured. Similarly, the message will also be encrypted with the B company's public key PK B and signed by a. In addition, company a will record the tokens and token validity periods assigned to company B on the application server, allow the resources accessed by company B, etc. for subsequent auditing.
Further, as shown in fig. 6, when receiving the data access response of the second server, the first server obtains the authorization result of the second server from the blockchain, obtains the public key of the second server and the private key of the first server, verifies the authorization result through the public key of the second server to generate a second verification result, decrypts the authorization result through the private key of the first server when the second verification result is the verification result sent by the second server, generates a decrypted authorization result, and finally determines whether to perform data access based on the decrypted authorization result.
In the embodiment of the present application, for example, as shown in fig. 7, the cross-platform application data security based on the blockchain provided in the present application splits the data from the shared access process, where the data is still stored locally by each platform application server, only the access rule issued by each platform is recorded on the blockchain, the access authority application of other platforms to the data, the authorization record of the data owner to the applicant, and so on. By distributing different access credentials such as tokens for different data requesters, the data possession platform can clearly know who has accessed what data at the time, and illegal leakage of the applied data by malicious staff inside the data requester is avoided. Meanwhile, the application endows different effective periods for different tokens, effectively ensures the backward security of data, and avoids illegal data leakage in data sharing, thereby reducing the security risk in data sharing.
The following are examples of the apparatus of the present invention that may be used to perform the method embodiments of the present invention. For details not disclosed in the embodiments of the apparatus of the present invention, please refer to the embodiments of the method of the present invention.
Fig. 8 is a schematic structural diagram of a data access right verification device according to an exemplary embodiment of the present invention, which is applied to a first service end. The data access rights verification system may be implemented as all or part of a computer device by software, hardware, or a combination of both. The apparatus 1 comprises an access rule acquisition module 10, a time determination module 20, a public key acquisition module 30, a data creation module 40, a data encryption module 50, a data signing module 60, a messaging module 70.
The access rule acquisition module 10 is configured to acquire an access rule that is generated in advance by the second server;
a time determining module 20, configured to determine an open time of the second server for accessing the resource based on the access rule;
The public key obtaining module 30 is configured to obtain a public key of the second server when the current time accords with the open time;
The data creation module 40 is configured to create rights access data for accessing the second service side and obtain a private key of the first service side;
The data encryption module 50 is configured to encrypt the rights access data based on the public key of the second server, and generate encrypted rights access data;
The data signing module 60 is configured to digitally sign the encrypted rights access data according to the private key of the first server, and generate an access message of the first server;
and the message sending module 70 is configured to send the access message of the first server to a blockchain.
Fig. 9 is a schematic structural diagram of a data access right verification device according to an exemplary embodiment of the present invention, which is applied to a second server. The data access rights verification system may be implemented as all or part of a computer device by software, hardware, or a combination of both. The device 2 comprises a message acquisition module 10, a public key and key acquisition module 20, a result generation module 30, a decryption message generation module 40, an audit result generation module 50, an authorization result determination module 60 and a response module 70.
The message obtaining module 10 is configured to obtain, when receiving a first server data access request, an access message of a first server from a blockchain;
the public key and key obtaining module 20 is configured to obtain a public key of the first service side and a private key of the second service side;
The result generating module 30 is configured to verify the access message of the first server according to the public key of the first server, and generate a first verification result;
A decryption message generating module 40, configured to decrypt the access message of the first server through the private key of the second server, and generate a decrypted access message;
The auditing result generating module 50 is configured to audit the verification result and the decrypted access message according to a preset auditing manner, and generate an auditing result;
An authorization result determining module 60, configured to determine an authorization result according to the audit result;
And the response module 70 is configured to encrypt the authorization result with the public key of the first server, send the encrypted authorization result to the blockchain, and send a data access response to the first server.
It should be noted that, when the data access permission verification system provided in the foregoing embodiment performs the data access permission verification method, only the division of the foregoing functional modules is used as an example, in practical application, the foregoing functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data access right verification system and the data access right verification method provided in the foregoing embodiments belong to the same concept, which embody the detailed implementation process in the method embodiment, and are not repeated here.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the embodiment of the application, the data is split with the shared access process by the cross-platform application data security based on the blockchain, wherein the data is still locally stored by each platform application server, only the access rule issued by each platform is recorded on the blockchain, the access authority application of other platforms to the data, the authorization record of the data owner to the applicant and the like. By distributing different access credentials such as tokens for different data requesters, the data possession platform can clearly know who has accessed what data at the time, and illegal leakage of the applied data by malicious staff inside the data requester is avoided. Meanwhile, the application endows different effective periods for different tokens, effectively ensures the backward security of data, and avoids illegal data leakage in data sharing, thereby reducing the security risk in data sharing.
In one embodiment, a computer device is presented, the computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program: the first server side obtains access rules pre-generated by the second server side; the first service side determines the open time of the second service side for accessing the resource based on the access rule; when the current time accords with the open time, the first server side acquires a public key of the second server side; the first service end creates authority access data for accessing the second service end and acquires a private key of the first service end; the first service end encrypts the right access data based on the public key of the second service end to generate encrypted right access data; the first server side digitally signs the encrypted authority access data according to a private key of the first server side, and generates an access message of the first server side; and the first server sends the access message of the first server to a blockchain and sends a data access request to the second server. When the second server receives the data access request of the first server, the second server acquires the access message of the first server from the blockchain; the second server side obtains a public key of the first server side and a private key of the second server side; the second server verifies the access message of the first server according to the public key of the first server to generate a first verification result; the second server decrypts the access message of the first server through the private key of the second server to generate a decrypted access message; the second server side carries out auditing on the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result; the second server determines an authorization result according to the auditing result; the second server encrypts the authorization result through the public key of the first server and then sends the encrypted authorization result to the blockchain, and sends a data access response to the first server. When the first service end receives a data access response of the second service end, an authorization result of the second service end is obtained from the blockchain; the method comprises the steps that a first server side obtains a public key of a second server side and a private key of the first server side; the first server verifies the authorization result through the public key of the second server to generate a second verification result; when the second verification result is a verification result sent by the second server, the first server decrypts the authorization result through a private key of the first server to generate a decrypted authorization result; and the first service end determines whether to perform data access or not based on the decrypted authorization result.
In one embodiment, before the server executed by the processor obtains the access message of the first service end from the blockchain according to the second service end, the method further includes the following steps: the second server acquires a public key of the second server and a second server parameter set; the second server side carries out digital signature on the second server side parameter set based on the private key of the second server side, and an access rule is generated; and the second server encrypts the access rule according to the public key of the second server and then distributes the encrypted access rule to the blockchain.
In one embodiment, the server executed by the processor performs an audit on the verification result and the decrypted access message according to the second server according to a preset audit mode, and generates an audit result, including: when the auditing mode is artificially audited and the verification result is an access message sent by the first server, the second server receives detention a command of a check result and generates an auditing result based on the command of the auditing result; or when the auditing mode is that the server audits and the verification result is that the access message is sent by the first server, the second server acquires a preset authorized server set; the second server side judges whether the first server side exists in the authorized server side set or not, and an auditing result is generated.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the second server according to the audit result includes: when the auditing result is that the data does not pass, the second server side generates a refusal access notification; the second server encrypts the access refusal notification through the public key of the first server to obtain an encrypted access refusal notification; and the second server digitally signs the encrypted access refusal notification through the private key of the second server to generate an authorization result.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the second server according to the audit result includes: when the auditing result is that the auditing result is passed, the second server side generates access credentials and access time; the second server encrypts the access credentials and the access time through the public key of the first server to generate encrypted access credentials and access time; and the second server digitally signs the encrypted access credentials and the access time through a private key of the second server to generate an authorization result.
In one embodiment, a storage medium storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of: the first server side obtains access rules pre-generated by the second server side; the first service side determines the open time of the second service side for accessing the resource based on the access rule; when the current time accords with the open time, the first server side acquires a public key of the second server side; the first service end creates authority access data for accessing the second service end and acquires a private key of the first service end; the first service end encrypts the right access data based on the public key of the second service end to generate encrypted right access data; the first server side digitally signs the encrypted authority access data according to a private key of the first server side, and generates an access message of the first server side; and the first server sends the access message of the first server to a blockchain and sends a data access request to the second server. When the second server receives the data access request of the first server, the second server acquires the access message of the first server from the blockchain; the second server side obtains a public key of the first server side and a private key of the second server side; the second server verifies the access message of the first server according to the public key of the first server to generate a first verification result; the second server decrypts the access message of the first server through the private key of the second server to generate a decrypted access message; the second server side carries out auditing on the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result; the second server determines an authorization result according to the auditing result; the second server encrypts the authorization result through the public key of the first server and then sends the encrypted authorization result to the blockchain, and sends a data access response to the first server. When the first service end receives a data access response of the second service end, an authorization result of the second service end is obtained from the blockchain; the method comprises the steps that a first server side obtains a public key of a second server side and a private key of the first server side; the first server verifies the authorization result through the public key of the second server to generate a second verification result; when the second verification result is a verification result sent by the second server, the first server decrypts the authorization result through a private key of the first server to generate a decrypted authorization result; and the first service end determines whether to perform data access or not based on the decrypted authorization result.
In one embodiment, before the server executed by the processor obtains the access message of the first service end from the blockchain according to the second service end, the method further includes the following steps: the second server acquires a public key of the second server and a second server parameter set; the second server side carries out digital signature on the second server side parameter set based on the private key of the second server side, and an access rule is generated; and the second server encrypts the access rule according to the public key of the second server and then distributes the encrypted access rule to the blockchain.
In one embodiment, the server executed by the processor performs an audit on the verification result and the decrypted access message according to the second server according to a preset audit mode, and generates an audit result, including: when the auditing mode is artificially audited and the verification result is an access message sent by the first server, the second server receives detention a command of a check result and generates an auditing result based on the command of the auditing result; or when the auditing mode is that the server audits and the verification result is that the access message is sent by the first server, the second server acquires a preset authorized server set; the second server side judges whether the first server side exists in the authorized server side set or not, and an auditing result is generated.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the second server according to the audit result includes: when the auditing result is that the data does not pass, the second server side generates a refusal access notification; the second server encrypts the access refusal notification through the public key of the first server to obtain an encrypted access refusal notification; and the second server digitally signs the encrypted access refusal notification through the private key of the second server to generate an authorization result.
In one embodiment, the determining, by the server executed by the processor, an authorization result according to the second server according to the audit result includes: when the auditing result is that the auditing result is passed, the second server side generates access credentials and access time; the second server encrypts the access credentials and the access time through the public key of the first server to generate encrypted access credentials and access time; and the second server digitally signs the encrypted access credentials and the access time through a private key of the second server to generate an authorization result.
The block chain-based cross-platform application data security provided by the application cuts the data and the shared access process, wherein the data is still stored locally by each platform application server, only the access rule issued by each platform is recorded on the block chain, the access authority of other platforms to the data is applied, and the data owner has authorization records to the applicant. By distributing different access credentials such as tokens for different data requesters, the data possession platform can clearly know who has accessed what data at the time, and illegal leakage of the applied data by malicious staff inside the data requester is avoided. Meanwhile, the application endows different effective periods for different tokens, effectively ensures the backward security of data, and avoids illegal data leakage in data sharing, thereby reducing the security risk in data sharing.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored in a computer-readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. The storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a random access Memory (Random Access Memory, RAM).
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
Claims (9)
1. A data access right verification method applied to a first service end, the method comprising:
Acquiring access rules pre-generated by a second server; wherein,
Generating the access rule comprises the following steps:
obtaining a public key of a second server and a second server parameter set; performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule; wherein,
The signature can be encrypted and decrypted by using an elliptic curve and is realized by using an ECC-secp k1 algorithm;
Determining the open time of the second server to access the resource based on the access rule;
When the current time accords with the open time, acquiring a public key of the second server;
creating authority access data for accessing the second service end and acquiring a private key of the first service end;
Encrypting the right access data based on the public key of the second server side to generate encrypted right access data;
carrying out digital signature on the encrypted authority access data according to the private key of the first server to generate an access message of the first server;
And sending the access message of the first server to a blockchain, and sending a data access request to the second server.
2. The method of claim 1, wherein after the sending the access message of the first server to the blockchain, further comprises:
When receiving a data access response generated by the second server side aiming at the data access request, acquiring an authorization result generated by the second server side aiming at the data access request from a blockchain; the authorization result is generated after the access message is obtained from a blockchain and is checked when the second server receives the access request; the data access response is a response sent by the second server side aiming at the first server side after the second server side generates the authorization result;
Obtaining a public key of the second service end and a private key of the first service end;
Verifying the authorization result through the public key of the second server side to generate a second verification result;
When the identification mark in the second verification result is the same as the identification mark of the second server, decrypting the authorization result through the private key of the first server to generate a decrypted authorization result; the identification mark is an identification parameter added when the second server generates the authorization result;
and determining whether to perform data access or not based on the decrypted authorization result.
3. The data access right verification method is applied to a second server and is characterized by comprising the following steps:
When a data access request sent by a first server for the second server is received, an access message sent by the first server for the second server is obtained from a blockchain; wherein,
Before the access message of the first service end is obtained from the blockchain, the method further comprises the following steps:
obtaining a public key of a second server and a second server parameter set;
Performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule;
encrypting the access rule according to the second server public key and then issuing the encrypted access rule to a blockchain;
Obtaining a public key of a first service end and a private key of a second service end;
verifying the access message of the first server according to the public key of the first server to generate a first verification result;
When the identification mark in the first verification result is the same as the identification mark of the first server, decrypting the access message of the first server through the private key of the second server to generate a decrypted access message; the identification mark is an identification parameter added when the first server generates the access message;
Auditing the verification result and the decrypted access message according to a preset auditing mode to generate an auditing result;
determining an authorization result according to the auditing result;
and encrypting the authorization result through the public key of the first service end, sending the encrypted authorization result to a blockchain, and sending a data access response to the first service end.
4. The method of claim 3, wherein the preset auditing mode includes a manual auditing mode and a server auditing mode;
The verification result and the decrypted access message are audited according to a preset auditing mode, and the generation of the auditing result comprises the following steps:
When the auditing mode is artificially audited and the verification result is an access message sent by the first server, receiving an auditing result instruction and generating an auditing result based on the auditing result instruction; or (b)
When the auditing mode is server auditing and the verification result is an access message sent by the first server, acquiring a preset authorized server set;
judging whether the first server side exists in the authorized server side set or not, and generating an auditing result.
5. A method according to claim 3, wherein said determining an authorization result from said audit result comprises:
when the auditing result is that the data does not pass, generating a refusal access notification;
Encrypting the access refusal notification through the public key of the first server to obtain an encrypted access refusal notification;
And carrying out digital signature on the encrypted access refusing notification through the private key of the second server side to generate an authorization result.
6. A method according to claim 3, wherein said determining an authorization result from said audit result comprises:
when the auditing result is passed, generating an access credential and access time;
encrypting the access credentials and the access time through the public key of the first server side to generate encrypted access credentials and access time;
And digitally signing the encrypted access credentials and the access time through the private key of the second server side to generate an authorization result.
7. A data access rights verification apparatus applied to a first service side, the apparatus comprising:
the access rule acquisition module is used for acquiring access rules pre-generated by the second server side; wherein,
Generating the access rule comprises the following steps:
obtaining a public key of a second server and a second server parameter set; performing digital signature on the second server parameter set based on the private key of the second server to generate an access rule; wherein,
The signature can be encrypted and decrypted by using an elliptic curve and is realized by using an ECC-secp k1 algorithm;
The time determining module is used for determining the open time of the second server to access the resource based on the access rule;
the public key acquisition module is used for acquiring a public key of the second server when the current time accords with the open time;
the data creation module is used for creating authority access data for accessing the second service end and acquiring a private key of the first service end;
the data encryption module is used for encrypting the right access data based on the public key of the second server side and generating encrypted right access data;
the data signing module is used for digitally signing the encrypted authority access data according to the private key of the first server to generate an access message of the first server;
And the message sending module is used for sending the access message of the first server to the blockchain.
8. A computer device comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the data access rights verification method of any one of claims 1 to 6.
9. A storage medium storing computer readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the data access rights verification method of any one of claims 1 to 6.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010760949.7A CN111914293B (en) | 2020-07-31 | 2020-07-31 | Data access right verification method and device, computer equipment and storage medium |
| PCT/CN2020/124726 WO2021139338A1 (en) | 2020-07-31 | 2020-10-29 | Data access permission verification method and apparatus, computer device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010760949.7A CN111914293B (en) | 2020-07-31 | 2020-07-31 | Data access right verification method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111914293A CN111914293A (en) | 2020-11-10 |
| CN111914293B true CN111914293B (en) | 2024-05-24 |
Family
ID=73287992
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010760949.7A Active CN111914293B (en) | 2020-07-31 | 2020-07-31 | Data access right verification method and device, computer equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN111914293B (en) |
| WO (1) | WO2021139338A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113609221A (en) * | 2021-07-27 | 2021-11-05 | 卓尔智联(武汉)研究院有限公司 | Data storage method, data access device and storage medium |
| CN113704210A (en) * | 2021-09-03 | 2021-11-26 | 维沃移动通信有限公司 | Data sharing method and electronic equipment |
| CN114039753B (en) * | 2021-10-27 | 2024-03-12 | 中国联合网络通信集团有限公司 | Access control method and device, storage medium and electronic equipment |
| CN114679264B (en) * | 2022-03-16 | 2023-12-08 | 亚信科技(成都)有限公司 | Password generation method, device and storage medium |
| CN115037521B (en) * | 2022-05-11 | 2024-02-02 | 广州小马智卡科技有限公司 | Service data verification method, device, computer equipment and storage medium |
| CN115052011B (en) * | 2022-07-25 | 2024-05-10 | 深圳前海环融联易信息科技服务有限公司 | Information interaction method and device based on blockchain, storage medium and electronic equipment |
| CN115514578B (en) * | 2022-11-01 | 2023-03-21 | 中国信息通信研究院 | Block chain based data authorization method and device, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107918731A (en) * | 2016-10-11 | 2018-04-17 | 百度在线网络技术(北京)有限公司 | Method and apparatus for controlling the authority to access to open interface |
| CN107979590A (en) * | 2017-11-02 | 2018-05-01 | 财付通支付科技有限公司 | Data sharing method, client, server, computing device and storage medium |
| CN108471350A (en) * | 2018-03-28 | 2018-08-31 | 电子科技大学成都研究院 | Trust data computational methods based on block chain |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN110569666A (en) * | 2019-09-03 | 2019-12-13 | 深圳前海微众银行股份有限公司 | data statistics method and device based on block chain |
| CN111046427A (en) * | 2019-12-13 | 2020-04-21 | 北京启迪区块链科技发展有限公司 | Block chain-based data access control method, device, equipment and medium |
| CN111327643A (en) * | 2020-05-15 | 2020-06-23 | 支付宝(杭州)信息技术有限公司 | Multi-party data sharing method and device |
| CN111461883A (en) * | 2020-03-31 | 2020-07-28 | 杭州溪塔科技有限公司 | Transaction processing method and device based on block chain and electronic equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10205709B2 (en) * | 2016-12-14 | 2019-02-12 | Visa International Service Association | Key pair infrastructure for secure messaging |
| JP7090903B2 (en) * | 2018-11-09 | 2022-06-27 | 国立大学法人東北大学 | Information processing system, data provision method, and manufacturing method of information processing system |
| US11251963B2 (en) * | 2019-07-31 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Blockchain-based data authorization method and apparatus |
-
2020
- 2020-07-31 CN CN202010760949.7A patent/CN111914293B/en active Active
- 2020-10-29 WO PCT/CN2020/124726 patent/WO2021139338A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107918731A (en) * | 2016-10-11 | 2018-04-17 | 百度在线网络技术(北京)有限公司 | Method and apparatus for controlling the authority to access to open interface |
| CN107979590A (en) * | 2017-11-02 | 2018-05-01 | 财付通支付科技有限公司 | Data sharing method, client, server, computing device and storage medium |
| CN108471350A (en) * | 2018-03-28 | 2018-08-31 | 电子科技大学成都研究院 | Trust data computational methods based on block chain |
| CN109981665A (en) * | 2019-04-01 | 2019-07-05 | 北京纬百科技有限公司 | Resource provider method and device, resource access method and device and system |
| CN110569666A (en) * | 2019-09-03 | 2019-12-13 | 深圳前海微众银行股份有限公司 | data statistics method and device based on block chain |
| CN111046427A (en) * | 2019-12-13 | 2020-04-21 | 北京启迪区块链科技发展有限公司 | Block chain-based data access control method, device, equipment and medium |
| CN111461883A (en) * | 2020-03-31 | 2020-07-28 | 杭州溪塔科技有限公司 | Transaction processing method and device based on block chain and electronic equipment |
| CN111327643A (en) * | 2020-05-15 | 2020-06-23 | 支付宝(杭州)信息技术有限公司 | Multi-party data sharing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021139338A1 (en) | 2021-07-15 |
| CN111914293A (en) | 2020-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111914293B (en) | Data access right verification method and device, computer equipment and storage medium | |
| CN111316278B (en) | Secure identity and profile management system | |
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| US8667287B2 (en) | Transaction auditing for data security devices | |
| US8843415B2 (en) | Secure software service systems and methods | |
| US7526649B2 (en) | Session key exchange | |
| RU2501081C2 (en) | Multi-factor content protection | |
| US20190333031A1 (en) | System, method, and computer program product for validating blockchain or distributed ledger transactions in a service requiring payment | |
| US9064129B2 (en) | Managing data | |
| US20080209575A1 (en) | License Management in a Privacy Preserving Information Distribution System | |
| US8631486B1 (en) | Adaptive identity classification | |
| KR101817152B1 (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
| EP3844905A1 (en) | Privacy-preserving mobility as a service supported by blockchain | |
| CN110020869B (en) | Method, device and system for generating block chain authorization information | |
| US20160335453A1 (en) | Managing Data | |
| CN115242553A (en) | Data exchange method and system supporting secure multi-party computation | |
| US11750397B2 (en) | Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| JPH05298174A (en) | Remote file access system | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| CN113468591A (en) | Data access method, system, electronic device and computer readable storage medium | |
| US11153299B2 (en) | Secure data transport using trusted identities | |
| CN114978771B (en) | Data security sharing method and system based on blockchain technology | |
| CN115567314B (en) | License security agent method and platform based on hardware trusted trust chain | |
| CN114881650B (en) | TEE-based privacy protection distributed account book auditing method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |